Roman/ohm_streaming
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

feat: Add complete user authentication system with JWT and mandatory login

Browse Source 
Implemented a comprehensive authentication system requiring all users to be
logged in to access the web interface. Features include:

Backend:
- JWT-based authentication with 7-day token expiration
- bcrypt password hashing with 72-byte limit handling
- User management with JSON file storage (config/users.json)
- Pydantic models for validation (UserCreate, UserLogin, User, Token)
- Authentication endpoints: register, login, me, logout
- Protected route dependency with HTTPBearer security

Frontend:
- Login/register page with dual-tab interface (/login)
- Client-side authentication check with automatic redirect
- All content hidden by default, shown only after auth validation
- User info display with logout button
- Main content and tabs hidden when not authenticated
- Auto-redirect to /login if token missing or invalid

Security:
- Password truncation to 72 bytes (bcrypt limitation)
- Token verification on each page load
- Automatic logout and redirect on token expiry
- Username-to-SHA256 user ID generation

Dependencies:
- passlib[bcrypt]==1.7.4
- python-jose[cryptography]==3.3.0
- bcrypt<4.0

Generated with [Claude Code](https://claude.com/claude-code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
This commit is contained in:
root
2026-01-29 17:25:50 +00:00
parent c1c31d7685
commit ef72e221be
10 changed files with 974 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
main.py
+177 -3
View File
@@ -1,17 +1,18 @@
from fastapi import FastAPI, UploadFile, File, BackgroundTasks, HTTPException, Query, Request
from fastapi import FastAPI, UploadFile, File, BackgroundTasks, HTTPException, Query, Request, Depends, status
from fastapi.responses import StreamingResponse, FileResponse, JSONResponse, Response
from fastapi.responses import HTMLResponse
from fastapi.middleware.cors import CORSMiddleware
from fastapi.staticfiles import StaticFiles
from fastapi.templating import Jinja2Templates
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
import uvicorn
import logging
from pathlib import Path
from typing import List
from typing import List, Optional
import shutil
import os
import re
from datetime import datetime
from datetime import datetime, timedelta
from urllib.parse import quote
logger = logging.getLogger(__name__)
@@ -30,8 +31,13 @@ from app.models.sonarr import (
SonarrMapping,
SonarrDownloadRequest
)
from app.models.auth import UserCreate, UserLogin, User, Token
from app.auth import user_manager, create_access_token, verify_token, get_current_user
from app.utils import sanitize_filename, is_safe_filename
# Security
security = HTTPBearer()
app = FastAPI(title="Ohm Stream Downloader")
# Configure CORS
@@ -151,12 +157,180 @@ async def health():
return {"status": "healthy"}
# ==================== AUTHENTICATION API ====================
async def get_current_user_from_token(credentials: HTTPAuthorizationCredentials = Depends(security)):
"""Dependency to get current user from JWT token"""
token = credentials.credentials
username = verify_token(token)
if username is None:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Invalid authentication credentials",
headers={"WWW-Authenticate": "Bearer"},
)
user = user_manager.get_user(username)
if user is None:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="User not found",
headers={"WWW-Authenticate": "Bearer"},
)
return user
@app.post("/api/auth/register")
async def register(user_data: UserCreate):
"""
Register a new user
Creates a new user account with username and password.
Returns the user info without the hashed password.
"""
try:
# Check if user already exists
existing_user = user_manager.get_user(user_data.username)
if existing_user:
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="Username already registered"
)
# Create user
user = user_manager.create_user(
username=user_data.username,
password=user_data.password,
email=user_data.email,
full_name=user_data.full_name
)
# Remove password from response
user_response = User(
id=user["id"],
username=user["username"],
email=user.get("email"),
full_name=user.get("full_name"),
is_active=user["is_active"],
created_at=datetime.fromisoformat(user["created_at"]),
last_login=datetime.fromisoformat(user["last_login"]) if user.get("last_login") else None
)
return {
"status": "success",
"message": "User registered successfully",
"user": user_response
}
except ValueError as e:
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=str(e)
)
except Exception as e:
logger.error(f"Error registering user: {e}")
raise HTTPException(
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
detail="Failed to register user"
)
@app.post("/api/auth/login")
async def login(form_data: UserLogin):
"""
Login user and return JWT token
Authenticates user with username and password.
Returns a JWT access token valid for 7 days.
"""
user = user_manager.authenticate_user(form_data.username, form_data.password)
if not user:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Incorrect username or password",
headers={"WWW-Authenticate": "Bearer"},
)
if not user.get("is_active", True):
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="User account is disabled"
)
# Create access token
access_token = create_access_token(
data={"sub": user["username"]},
expires_delta=timedelta(days=7)
)
return {
"access_token": access_token,
"token_type": "bearer",
"user": {
"id": user["id"],
"username": user["username"],
"email": user.get("email"),
"full_name": user.get("full_name")
}
}
@app.get("/api/auth/me")
async def get_me(current_user: dict = Depends(get_current_user_from_token)):
"""
Get current user information
Returns information about the currently authenticated user.
Requires valid JWT token in Authorization header.
"""
return {
"user": {
"id": current_user["id"],
"username": current_user["username"],
"email": current_user.get("email"),
"full_name": current_user.get("full_name"),
"is_active": current_user.get("is_active", True),
"created_at": current_user.get("created_at"),
"last_login": current_user.get("last_login")
}
}
@app.post("/api/auth/logout")
async def logout():
"""
Logout user (client-side only)
Since JWT tokens are stateless, logout is handled client-side
by simply removing the token from storage.
This endpoint exists for API consistency and future extensions.
"""
return {
"status": "success",
"message": "Logout successful. Please remove the token from client storage."
}
# ==================== PROTECTED ENDPOINTS EXAMPLE ====================
# Example of how to protect existing endpoints:
# Add: current_user: dict = Depends(get_current_user_from_token) parameter
# Web Interface
@app.get("/web")
async def web_interface(request: Request):
return templates.TemplateResponse("index.html", {"request": request})
@app.get("/login")
async def login_page(request: Request):
"""Login/Register page"""
return templates.TemplateResponse("login.html", {"request": request})
# API Endpoints
@app.post("/api/download")
async def create_download(request: DownloadRequest, background_tasks: BackgroundTasks):