Source code for cata_log_hub.security
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# Cata-Log - the central hub for digital flyers
# Copyright (C) 2026 David Aderbauer & The Cata-Log Contributors
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
import secrets
from fastapi import Depends, Request, status
from fastapi.exceptions import HTTPException
from fastapi.security import HTTPBasic, HTTPBasicCredentials
from cata_log_hub.settings import get_settings
http_basic_security = HTTPBasic(auto_error=False)
depends_http_basic_security = Depends(http_basic_security)
UNPROTECTED_PATHS = ("/health",)
[docs]
def get_credentials() -> tuple[str, str | None]:
"""Get the credentials from the environment.
Returns:
Username and password.
"""
settings = get_settings()
return settings.username, settings.password
[docs]
def verify_credentials(
request: Request,
credentials: HTTPBasicCredentials | None = depends_http_basic_security,
) -> None:
"""Verify credentials given by the user.
Args:
request: The request that needs to be authenticated.
credentials: The user-given credentials.
"""
if get_settings().public_get and request.method == "GET":
return
if request.url.path in UNPROTECTED_PATHS:
return
username, password = get_credentials()
if (
(credentials is None)
or not password
or not (
secrets.compare_digest(credentials.username, username)
and secrets.compare_digest(credentials.password, password)
)
):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Invalid credentials",
headers={"WWW-Authenticate": "Basic"},
)