From the auth /security-review (contained fixes; architectural SA3 proxy-trust + SA4 session-revocation deferred to the user): - SB1: encrypt the OAuth access_token at rest (was plaintext while refresh_token was encrypted) — a ~1h Google bearer credential. New security.decrypt_optional() falls back to a refresh for legacy plaintext tokens; column is unbounded String. E2E-verified: token refreshed → stored as Fernet ciphertext → 319-subscription YouTube sync succeeded. - SA5: password_login is no longer a timing/enumeration oracle — it always runs argon2 (against a decoy hash for unknown/passwordless emails), so response time can't reveal whether an account exists. - SB2: Google login only ADOPTS+activates a pre-existing password account when Google actually attests email_verified (defense-in-depth against takeover); and the email sync won't overwrite with a value another account owns (avoids a 500). - demo_login clears the wallet first (demo can't switch to / act as a real account via the multi-account header); switch_account rejects a suspended target (which would otherwise clear the whole session on the next request). Re-review clean; ruff clean; localdev boots; YouTube auth path E2E-verified.
160 lines
6.2 KiB
Python
160 lines
6.2 KiB
Python
from fastapi import APIRouter, BackgroundTasks, Depends, HTTPException, Request
|
|
from sqlalchemy import func, select
|
|
from sqlalchemy.orm import Session
|
|
|
|
from app.auth import (
|
|
count_admins,
|
|
current_user,
|
|
google_enabled,
|
|
has_read_scope,
|
|
has_write_scope,
|
|
is_allowed,
|
|
optional_current_user,
|
|
purge_user,
|
|
)
|
|
from app import sysconfig
|
|
from app.db import get_db
|
|
from app.models import Invite, User
|
|
|
|
router = APIRouter(prefix="/api/me", tags=["me"])
|
|
|
|
|
|
@router.get("/accounts")
|
|
def my_accounts(
|
|
request: Request,
|
|
user: User = Depends(current_user),
|
|
db: Session = Depends(get_db),
|
|
) -> list[dict]:
|
|
"""The accounts that have authenticated in this browser session (switchable without a
|
|
new Google sign-in). The active one is flagged."""
|
|
ids = request.session.get("account_ids") or [user.id]
|
|
rows = {u.id: u for u in db.query(User).filter(User.id.in_(ids)).all()}
|
|
out = []
|
|
for uid in ids: # preserve recency order from the session
|
|
u = rows.get(uid)
|
|
if u is not None:
|
|
out.append(
|
|
{
|
|
"id": u.id,
|
|
"email": u.email,
|
|
"display_name": u.display_name,
|
|
"avatar_url": u.avatar_url,
|
|
"active": u.id == user.id,
|
|
}
|
|
)
|
|
return out
|
|
|
|
|
|
@router.post("/switch")
|
|
def switch_account(
|
|
payload: dict,
|
|
request: Request,
|
|
user: User = Depends(current_user),
|
|
db: Session = Depends(get_db),
|
|
) -> dict:
|
|
"""Switch the active account to another one already authenticated in this browser. No
|
|
Google round-trip — but only accounts present in the session list (proof they signed in
|
|
here) are allowed, and access is re-checked in case the invite was revoked since."""
|
|
target = payload.get("user_id")
|
|
if target not in (request.session.get("account_ids") or []):
|
|
raise HTTPException(status_code=403, detail="Not an account you've signed into here.")
|
|
u = db.get(User, target)
|
|
if u is None:
|
|
raise HTTPException(status_code=404, detail="That account no longer exists.")
|
|
if not is_allowed(db, u.email):
|
|
raise HTTPException(status_code=403, detail="That account no longer has access.")
|
|
if u.is_suspended:
|
|
# Don't make a suspended account the active one — the next request's current_user would
|
|
# see the suspension and clear the WHOLE wallet session, logging out every account here.
|
|
raise HTTPException(status_code=403, detail="That account is suspended.")
|
|
request.session["user_id"] = target
|
|
return {"ok": True, "user_id": target}
|
|
|
|
|
|
@router.get("")
|
|
def get_me(
|
|
user: User | None = Depends(optional_current_user), db: Session = Depends(get_db)
|
|
) -> dict:
|
|
# The app's bootstrap probe: return 200 with `authenticated: False` when logged out (rather
|
|
# than 401) so the public landing never logs a failed /api/me to the browser console. Other
|
|
# protected endpoints still 401, so mid-session expiry is still caught by the global handler.
|
|
if user is None:
|
|
return {"authenticated": False}
|
|
pending_invites = 0
|
|
if user.role == "admin":
|
|
pending_invites = (
|
|
db.scalar(
|
|
select(func.count())
|
|
.select_from(Invite)
|
|
.where(Invite.status == "pending")
|
|
)
|
|
or 0
|
|
)
|
|
return {
|
|
"authenticated": True,
|
|
"id": user.id,
|
|
"email": user.email,
|
|
"display_name": user.display_name,
|
|
"avatar_url": user.avatar_url,
|
|
"role": user.role,
|
|
"is_demo": user.is_demo,
|
|
"has_google": user.google_sub is not None,
|
|
"has_password": user.password_hash is not None,
|
|
# Instance-wide: whether Google sign-in / YouTube connect is available at all (the UI hides
|
|
# YouTube-access affordances and the onboarding nudge when it isn't configured).
|
|
"google_enabled": google_enabled(db),
|
|
# Whether the optional Plex module is enabled (UI shows the Plex feed source when so).
|
|
"plex_enabled": sysconfig.get_bool(db, "plex_enabled"),
|
|
"can_read": has_read_scope(user),
|
|
"can_write": has_write_scope(user),
|
|
"pending_invites": pending_invites,
|
|
"preferences": user.preferences or {},
|
|
}
|
|
|
|
|
|
@router.delete("/account")
|
|
def delete_my_account(
|
|
request: Request,
|
|
background: BackgroundTasks,
|
|
user: User = Depends(current_user),
|
|
db: Session = Depends(get_db),
|
|
) -> dict:
|
|
"""GDPR self-service erasure: permanently delete the signed-in account and ALL its personal
|
|
data — OAuth tokens, subscriptions, tags, watch/save/hide states, playlists, notifications —
|
|
which all cascade on the users row. Quota-audit events are kept but anonymised (FK SET NULL).
|
|
The shared demo account can't be deleted, and the last remaining admin can't delete itself
|
|
(that would lock everyone out of the admin surfaces)."""
|
|
if user.is_demo:
|
|
raise HTTPException(status_code=403, detail="The shared demo account can't be deleted.")
|
|
if user.role == "admin" and count_admins(db) <= 1:
|
|
raise HTTPException(
|
|
status_code=400,
|
|
detail="You're the only admin — promote another admin before deleting your account.",
|
|
)
|
|
user_id = user.id
|
|
# Full erasure (cascades) + access-request cleanup + Google-grant revocation; shared with the
|
|
# admin delete path. Capture the id first — `user` is detached once purge_user deletes the row.
|
|
purge_user(db, user, background)
|
|
# Drop this account from the browser session; switch to another signed-in account if any.
|
|
remaining = [a for a in (request.session.get("account_ids") or []) if a != user_id]
|
|
if remaining:
|
|
request.session["account_ids"] = remaining
|
|
request.session["user_id"] = remaining[-1]
|
|
else:
|
|
request.session.clear()
|
|
return {"deleted": True}
|
|
|
|
|
|
@router.put("/preferences")
|
|
def update_preferences(
|
|
preferences: dict,
|
|
user: User = Depends(current_user),
|
|
db: Session = Depends(get_db),
|
|
) -> dict:
|
|
# Merge so partial updates don't wipe other keys.
|
|
merged = dict(user.preferences or {})
|
|
merged.update(preferences)
|
|
user.preferences = merged
|
|
db.add(user)
|
|
db.commit()
|
|
return {"preferences": merged}
|