hermes-agent

mirrors/hermes-agent

Fork 0

mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-06-09 08:21:50 +00:00

Commit graph

Author	SHA1	Message	Date
Ben	ed9e8ba097	feat(dashboard-auth): add pluggable password (non-redirect) login The dashboard auth gate was OAuth-only: a DashboardAuthProvider could authenticate only via a redirect to an IDP (start_login -> /auth/callback -> complete_login). There was no first-class path for username/password auth, so self-hosters who just want a password on their dashboard had no clean option short of an external OAuth IDP. Extend the provider framework with a parallel, non-redirect front door that converges on the same Session + cookie + refresh machinery: - base.py: add the optional supports_password flag and complete_password_login(username, password) -> Session (default raises NotImplementedError so an OAuth-only provider that forgets the flag fails loudly). Add InvalidCredentialsError. OAuth providers are unaffected (flag defaults False; the method is never called). - routes.py: add POST /auth/password-login, mirroring the cookie-minting tail of /auth/callback but skipping PKCE/state/code. Returns JSON {ok, next} (the form POSTs via fetch). Generic 401 for both unknown user and wrong password (no enumeration oracle); 404 hides whether a provider exists or supports passwords; per-IP sliding-window rate limit (10/min -> 429). /api/auth/providers now reports supports_password so the login page can branch. - middleware.py: allowlist /auth/password-login (a bootstrap route). verify/refresh/revoke/ws-tickets/logout need zero changes — a password session is just a Session with provider-minted opaque tokens. - login_page.py: render a credential form (instead of a redirect button) for supports_password providers, wired by a small inline script that POSTs to /auth/password-login and navigates on success. OAuth-only pages stay script-free.	2026-06-04 01:02:25 -07:00
Ben	2dc6d03a3d	feat(dashboard-auth): define DashboardAuthProvider ABC + Session dataclass Phase 1, Task 1.1. New package hermes_cli/dashboard_auth/ contains: base.py - DashboardAuthProvider ABC with 5 abstract methods (start_login, complete_login, verify_session, refresh_session, revoke_session), Session + LoginStart frozen dataclasses, three exception types (ProviderError / InvalidCodeError / RefreshExpiredError), and assert_protocol_compliance() for plugins to call in their own tests. registry.py - Module-level register/get/list/clear with a lock. Nothing reads the registry yet — Phase 2 adds the StubAuthProvider and Phase 3 wires the gate middleware. The plugin hook lands in Task 1.3.	2026-05-27 02:12:27 -07:00

Author

SHA1

Message

Date

Ben

ed9e8ba097

feat(dashboard-auth): add pluggable password (non-redirect) login

The dashboard auth gate was OAuth-only: a DashboardAuthProvider could
authenticate only via a redirect to an IDP (start_login -> /auth/callback
-> complete_login). There was no first-class path for username/password
auth, so self-hosters who just want a password on their dashboard had no
clean option short of an external OAuth IDP.

Extend the provider framework with a parallel, non-redirect front door
that converges on the same Session + cookie + refresh machinery:

  - base.py: add the optional supports_password flag and
    complete_password_login(username, password) -> Session (default
    raises NotImplementedError so an OAuth-only provider that forgets the
    flag fails loudly). Add InvalidCredentialsError. OAuth providers are
    unaffected (flag defaults False; the method is never called).
  - routes.py: add POST /auth/password-login, mirroring the cookie-minting
    tail of /auth/callback but skipping PKCE/state/code. Returns JSON
    {ok, next} (the form POSTs via fetch). Generic 401 for both unknown
    user and wrong password (no enumeration oracle); 404 hides whether a
    provider exists or supports passwords; per-IP sliding-window rate
    limit (10/min -> 429). /api/auth/providers now reports
    supports_password so the login page can branch.
  - middleware.py: allowlist /auth/password-login (a bootstrap route).
    verify/refresh/revoke/ws-tickets/logout need zero changes — a password
    session is just a Session with provider-minted opaque tokens.
  - login_page.py: render a credential form (instead of a redirect button)
    for supports_password providers, wired by a small inline script that
    POSTs to /auth/password-login and navigates on success. OAuth-only
    pages stay script-free.

2026-06-04 01:02:25 -07:00

Ben

2dc6d03a3d

feat(dashboard-auth): define DashboardAuthProvider ABC + Session dataclass

Phase 1, Task 1.1. New package hermes_cli/dashboard_auth/ contains:

  base.py     - DashboardAuthProvider ABC with 5 abstract methods
                (start_login, complete_login, verify_session,
                refresh_session, revoke_session), Session + LoginStart
                frozen dataclasses, three exception types
                (ProviderError / InvalidCodeError / RefreshExpiredError),
                and assert_protocol_compliance() for plugins to call
                in their own tests.
  registry.py - Module-level register/get/list/clear with a lock.

Nothing reads the registry yet — Phase 2 adds the StubAuthProvider and
Phase 3 wires the gate middleware. The plugin hook lands in Task 1.3.

2026-05-27 02:12:27 -07:00

2 commits