import logging import secrets import httpx from fastapi import APIRouter, HTTPException, status from app.core.config import get_settings from app.schemas.login import ( LoginRequest, LoginResponse, OIDCAuthUrlResponse, OIDCCodeExchangeRequest, ) router = APIRouter(prefix="/auth", tags=["auth"]) logger = logging.getLogger(__name__) def _resolve_username_by_email(settings, email: str) -> str | None: # Authentik-only helper. Keycloak does not need this path. if settings.use_keycloak: return None if not settings.authentik_base_url or not settings.authentik_admin_token: return None url = urljoin(settings.authentik_base_url.rstrip("/") + "/", "api/v3/core/users/") try: resp = httpx.get( url, params={"email": email}, timeout=10, verify=settings.authentik_verify_tls, headers={ "Authorization": f"Bearer {settings.authentik_admin_token}", "Accept": "application/json", }, ) except Exception: return None if resp.status_code >= 400: return None data = resp.json() results = data.get("results") if isinstance(data, dict) else None if not isinstance(results, list) or not results: return None username = results[0].get("username") return username if isinstance(username, str) and username else None @router.post("/login", response_model=LoginResponse) def login(payload: LoginRequest) -> LoginResponse: settings = get_settings() client_id = settings.idp_client_id or settings.idp_audience if not settings.idp_base_url or not client_id or not settings.idp_client_secret: raise HTTPException(status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail="authentik_login_not_configured") token_endpoint = settings.idp_token_endpoint form = { "grant_type": "password", "client_id": client_id, "client_secret": settings.idp_client_secret, "username": payload.username, "password": payload.password, "scope": "openid profile email", } def _token_request(form_data: dict[str, str]) -> httpx.Response: resp = httpx.post( token_endpoint, data=form_data, timeout=10, verify=settings.idp_verify_tls, headers={"Content-Type": "application/x-www-form-urlencoded"}, ) return resp try: resp = _token_request(form) except Exception as exc: raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="authentik_unreachable") from exc # If user entered email, try resolving username and retry once. if resp.status_code >= 400 and "@" in payload.username: resolved = _resolve_username_by_email(settings, payload.username) if resolved and resolved != payload.username: form["username"] = resolved try: resp = _token_request(form) except Exception as exc: raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="authentik_unreachable") from exc if resp.status_code >= 400: logger.warning("idp password grant failed: status=%s body=%s", resp.status_code, resp.text) raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="invalid_username_or_password") data = resp.json() token = data.get("access_token") if not token: raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="authentik_missing_access_token") return LoginResponse( access_token=token, token_type=data.get("token_type", "Bearer"), expires_in=data.get("expires_in"), scope=data.get("scope"), ) @router.get("/oidc/url", response_model=OIDCAuthUrlResponse) def get_oidc_authorize_url( redirect_uri: str, login_hint: str | None = None, prompt: str = "login", idp_hint: str | None = None, code_challenge: str | None = None, code_challenge_method: str | None = None, ) -> OIDCAuthUrlResponse: settings = get_settings() client_id = settings.idp_client_id or settings.idp_audience if not settings.idp_base_url or not client_id: raise HTTPException(status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail="authentik_login_not_configured") authorize_endpoint = settings.idp_authorize_endpoint state = secrets.token_urlsafe(24) query = { "client_id": client_id, "response_type": "code", "scope": "openid profile email", "redirect_uri": redirect_uri, "state": state, "prompt": prompt or "login", } if login_hint: query["login_hint"] = login_hint if idp_hint and settings.use_keycloak: query["kc_idp_hint"] = idp_hint if code_challenge: query["code_challenge"] = code_challenge query["code_challenge_method"] = code_challenge_method or "S256" params = httpx.QueryParams(query) return OIDCAuthUrlResponse(authorize_url=f"{authorize_endpoint}?{params}") @router.post("/oidc/exchange", response_model=LoginResponse) def exchange_oidc_code(payload: OIDCCodeExchangeRequest) -> LoginResponse: settings = get_settings() client_id = settings.idp_client_id or settings.idp_audience if not settings.idp_base_url or not client_id or not settings.idp_client_secret: raise HTTPException(status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail="authentik_login_not_configured") token_endpoint = settings.idp_token_endpoint form = { "grant_type": "authorization_code", "client_id": client_id, "client_secret": settings.idp_client_secret, "code": payload.code, "redirect_uri": payload.redirect_uri, } if payload.code_verifier: form["code_verifier"] = payload.code_verifier try: resp = httpx.post( token_endpoint, data=form, timeout=10, verify=settings.idp_verify_tls, headers={"Content-Type": "application/x-www-form-urlencoded"}, ) except Exception as exc: raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="authentik_unreachable") from exc if resp.status_code >= 400: logger.warning("idp auth-code exchange failed: status=%s body=%s", resp.status_code, resp.text) raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="authentik_code_exchange_failed") data = resp.json() token = data.get("access_token") if not token: raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="authentik_missing_access_token") return LoginResponse( access_token=token, token_type=data.get("token_type", "Bearer"), expires_in=data.get("expires_in"), scope=data.get("scope"), )