feat: add authentik jwt verification and me endpoints

2026-03-29 23:06:19 +08:00
parent c94b790714
commit 2b81fd01c3
12 changed files with 220 additions and 0 deletions
--- a/.env
+++ b/.env
@@ -11,6 +11,9 @@ DB_PASSWORD=CHANGE_ME
 AUTHENTIK_BASE_URL=
 AUTHENTIK_ADMIN_TOKEN=
 AUTHENTIK_VERIFY_TLS=false
+AUTHENTIK_ISSUER=
+AUTHENTIK_JWKS_URL=
+AUTHENTIK_AUDIENCE=

 PUBLIC_FRONTEND_ORIGINS=https://member.ose.tw,https://mkt.ose.tw,https://admin.ose.tw
 INTERNAL_SHARED_SECRET=CHANGE_ME
--- a/.env.example
+++ b/.env.example
@@ -11,6 +11,9 @@ DB_PASSWORD=CHANGE_ME
 AUTHENTIK_BASE_URL=
 AUTHENTIK_ADMIN_TOKEN=
 AUTHENTIK_VERIFY_TLS=false
+AUTHENTIK_ISSUER=
+AUTHENTIK_JWKS_URL=
+AUTHENTIK_AUDIENCE=

 PUBLIC_FRONTEND_ORIGINS=https://member.ose.tw,https://mkt.ose.tw,https://admin.ose.tw
 INTERNAL_SHARED_SECRET=CHANGE_ME
--- a/.env.production.example
+++ b/.env.production.example
@@ -11,6 +11,9 @@ DB_PASSWORD=CHANGE_ME
 AUTHENTIK_BASE_URL=
 AUTHENTIK_ADMIN_TOKEN=
 AUTHENTIK_VERIFY_TLS=false
+AUTHENTIK_ISSUER=
+AUTHENTIK_JWKS_URL=
+AUTHENTIK_AUDIENCE=

 PUBLIC_FRONTEND_ORIGINS=https://member.ose.tw,https://mkt.ose.tw,https://admin.ose.tw
 INTERNAL_SHARED_SECRET=CHANGE_ME
--- a/README.md
+++ b/README.md
@@ -15,10 +15,25 @@ uvicorn app.main:app --host 127.0.0.1 --port 8000 --reload

 1. Initialize API client whitelist table with `docs/API_CLIENTS_SQL.sql`.
 2. Initialize core tables with `backend/scripts/init_schema.sql`.
+3. Generate `api_key_hash` and update `api_clients` records, e.g.:
+
+```bash
+python scripts/generate_api_key_hash.py 'YOUR_PLAIN_KEY'
+```
+
+## Authentik JWT setup
+
+- Configure at least one of:
+  - `AUTHENTIK_JWKS_URL`
+  - `AUTHENTIK_ISSUER` (the service infers `<issuer>/jwks/`)
+- Optional:
+  - `AUTHENTIK_AUDIENCE` (enables audience claim validation)

 ## Main APIs

 - `GET /healthz`
+- `GET /me` (Bearer token required)
+- `GET /me/permissions/snapshot` (Bearer token required)
 - `POST /internal/users/upsert-by-sub`
 - `GET /internal/permissions/{authentik_sub}/snapshot`
 - `POST /admin/permissions/grant`
--- a/app/api/me.py
+++ b/app/api/me.py
@@ -0,0 +1,46 @@
+from fastapi import APIRouter, Depends
+from sqlalchemy.orm import Session
+
+from app.db.session import get_db
+from app.repositories.permissions_repo import PermissionsRepository
+from app.repositories.users_repo import UsersRepository
+from app.schemas.auth import AuthentikPrincipal, MeSummaryResponse
+from app.schemas.permissions import PermissionSnapshotResponse
+from app.security.authentik_jwt import require_authenticated_principal
+from app.services.permission_service import PermissionService
+
+router = APIRouter(prefix="/me", tags=["me"])
+
+
+@router.get("", response_model=MeSummaryResponse)
+def get_me(
+    principal: AuthentikPrincipal = Depends(require_authenticated_principal),
+    db: Session = Depends(get_db),
+) -> MeSummaryResponse:
+    users_repo = UsersRepository(db)
+    user = users_repo.upsert_by_sub(
+        authentik_sub=principal.sub,
+        email=principal.email,
+        display_name=principal.name or principal.preferred_username,
+        is_active=True,
+    )
+    return MeSummaryResponse(sub=user.authentik_sub, email=user.email, display_name=user.display_name)
+
+
+@router.get("/permissions/snapshot", response_model=PermissionSnapshotResponse)
+def get_my_permission_snapshot(
+    principal: AuthentikPrincipal = Depends(require_authenticated_principal),
+    db: Session = Depends(get_db),
+) -> PermissionSnapshotResponse:
+    users_repo = UsersRepository(db)
+    perms_repo = PermissionsRepository(db)
+
+    user = users_repo.upsert_by_sub(
+        authentik_sub=principal.sub,
+        email=principal.email,
+        display_name=principal.name or principal.preferred_username,
+        is_active=True,
+    )
+    permissions = perms_repo.list_by_user_id(user.id)
+    tuples = [(p.scope_type, p.scope_id, p.module, p.action) for p in permissions]
+    return PermissionService.build_snapshot(authentik_sub=principal.sub, permissions=tuples)
--- a/app/core/config.py
+++ b/app/core/config.py
@@ -20,6 +20,9 @@ class Settings(BaseSettings):
    authentik_base_url: str = ""
    authentik_admin_token: str = ""
    authentik_verify_tls: bool = False
+    authentik_issuer: str = ""
+    authentik_jwks_url: str = ""
+    authentik_audience: str = ""

    public_frontend_origins: Annotated[list[str], NoDecode] = ["https://member.ose.tw"]
    internal_shared_secret: str = ""
--- a/app/main.py
+++ b/app/main.py
@@ -2,6 +2,7 @@ from fastapi import FastAPI

 from app.api.admin import router as admin_router
 from app.api.internal import router as internal_router
+from app.api.me import router as me_router

 app = FastAPI(title="memberapi.ose.tw", version="0.1.0")

@@ -13,3 +14,4 @@ def healthz() -> dict[str, str]:

 app.include_router(internal_router)
 app.include_router(admin_router)
+app.include_router(me_router)
--- a/app/schemas/auth.py
+++ b/app/schemas/auth.py
@@ -0,0 +1,14 @@
+from pydantic import BaseModel
+
+
+class AuthentikPrincipal(BaseModel):
+    sub: str
+    email: str | None = None
+    name: str | None = None
+    preferred_username: str | None = None
+
+
+class MeSummaryResponse(BaseModel):
+    sub: str
+    email: str | None = None
+    display_name: str | None = None
--- a/app/security/authentik_jwt.py
+++ b/app/security/authentik_jwt.py
@@ -0,0 +1,84 @@
+from __future__ import annotations
+
+from functools import lru_cache
+
+import jwt
+from fastapi import Depends, HTTPException, status
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+
+from app.core.config import get_settings
+from app.schemas.auth import AuthentikPrincipal
+
+bearer_scheme = HTTPBearer(auto_error=False)
+
+
+class AuthentikTokenVerifier:
+    def __init__(self, issuer: str | None, jwks_url: str | None, audience: str | None) -> None:
+        self.issuer = issuer.strip() if issuer else None
+        self.jwks_url = jwks_url.strip() if jwks_url else self._infer_jwks_url(self.issuer)
+        self.audience = audience.strip() if audience else None
+
+        if not self.jwks_url:
+            raise ValueError("AUTHENTIK_JWKS_URL or AUTHENTIK_ISSUER is required")
+
+        self._jwk_client = jwt.PyJWKClient(self.jwks_url)
+
+    @staticmethod
+    def _infer_jwks_url(issuer: str | None) -> str | None:
+        if not issuer:
+            return None
+        normalized = issuer.rstrip("/") + "/"
+        if normalized.endswith("/jwks/"):
+            return normalized
+        return normalized + "jwks/"
+
+    def verify_access_token(self, token: str) -> AuthentikPrincipal:
+        try:
+            signing_key = self._jwk_client.get_signing_key_from_jwt(token)
+            options = {
+                "verify_signature": True,
+                "verify_exp": True,
+                "verify_aud": bool(self.audience),
+                "verify_iss": bool(self.issuer),
+            }
+            claims = jwt.decode(
+                token,
+                signing_key.key,
+                algorithms=["RS256", "RS384", "RS512"],
+                audience=self.audience,
+                issuer=self.issuer,
+                options=options,
+            )
+        except Exception as exc:
+            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="invalid_bearer_token") from exc
+
+        sub = claims.get("sub")
+        if not sub:
+            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="token_missing_sub")
+
+        return AuthentikPrincipal(
+            sub=sub,
+            email=claims.get("email"),
+            name=claims.get("name"),
+            preferred_username=claims.get("preferred_username"),
+        )
+
+
+@lru_cache
+def _get_verifier() -> AuthentikTokenVerifier:
+    settings = get_settings()
+    return AuthentikTokenVerifier(
+        issuer=settings.authentik_issuer,
+        jwks_url=settings.authentik_jwks_url,
+        audience=settings.authentik_audience,
+    )
+
+
+def require_authenticated_principal(
+    credentials: HTTPAuthorizationCredentials | None = Depends(bearer_scheme),
+) -> AuthentikPrincipal:
+    if credentials is None or credentials.scheme.lower() != "bearer":
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="missing_bearer_token")
+
+    verifier = _get_verifier()
+    return verifier.verify_access_token(credentials.credentials)
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -11,6 +11,7 @@ dependencies = [
  "pydantic-settings>=2.11.0",
  "python-dotenv>=1.1.1",
  "passlib[bcrypt]>=1.7.4",
+  "pyjwt[crypto]>=2.10.1",
 ]

 [project.optional-dependencies]
--- a/scripts/generate_api_key_hash.py
+++ b/scripts/generate_api_key_hash.py
@@ -0,0 +1,29 @@
+#!/usr/bin/env python3
+import argparse
+import hashlib
+
+from passlib.context import CryptContext
+
+pwd_context = CryptContext(schemes=["argon2", "bcrypt"], deprecated="auto")
+
+
+def main() -> None:
+    parser = argparse.ArgumentParser(description="Generate API key hash for api_clients table")
+    parser.add_argument("api_key", help="Plain API key")
+    parser.add_argument(
+        "--algo",
+        choices=["argon2", "bcrypt", "sha256"],
+        default="argon2",
+        help="Hash algorithm (default: argon2)",
+    )
+    args = parser.parse_args()
+
+    if args.algo == "sha256":
+        print("sha256:" + hashlib.sha256(args.api_key.encode("utf-8")).hexdigest())
+        return
+
+    print(pwd_context.hash(args.api_key, scheme=args.algo))
+
+
+if __name__ == "__main__":
+    main()
--- a/tests/test_authentik_jwt.py
+++ b/tests/test_authentik_jwt.py
@@ -0,0 +1,17 @@
+from fastapi.testclient import TestClient
+
+from app.main import app
+from app.security.authentik_jwt import AuthentikTokenVerifier
+
+
+def test_infer_jwks_url() -> None:
+    assert AuthentikTokenVerifier._infer_jwks_url("https://auth.ose.tw/application/o/member/") == (
+        "https://auth.ose.tw/application/o/member/jwks/"
+    )
+
+
+def test_me_requires_bearer_token() -> None:
+    client = TestClient(app)
+    resp = client.get("/me")
+    assert resp.status_code == 401
+    assert resp.json()["detail"] == "missing_bearer_token"