member/member-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(auth): use group-only admin access and remove admin api-key flow from frontend/admin routes

Browse Source
This commit is contained in:
Chris
2026-03-30 21:39:43 +08:00
parent 15eee2fc9a
commit e1a6bbd844
11 changed files with 6 additions and 168 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
backend/app/security/admin_guard.py
View File

@@ -9,18 +9,14 @@ def require_admin_principal(
principal: AuthentikPrincipal = Depends(require_authenticated_principal),
) -> AuthentikPrincipal:
settings = get_settings()
allowed_emails = {email.lower() for email in settings.admin_allowlist_emails}
allowed_subs = set(settings.admin_allowlist_subs)
required_groups = {group.lower() for group in settings.admin_required_groups}
if not allowed_emails and not allowed_subs and not required_groups:
if not required_groups:
raise HTTPException(status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail="admin_policy_not_configured")
email_ok = bool(principal.email and principal.email.lower() in allowed_emails)
sub_ok = principal.sub in allowed_subs
principal_groups = {group.lower() for group in principal.groups}
group_ok = bool(required_groups.intersection(principal_groups))
if not (email_ok or sub_ok or group_ok):
if not group_ok:
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="admin_forbidden")
return principal