245 lines
8.1 KiB
Python
245 lines
8.1 KiB
Python
import os
|
|
from base58 import b58decode
|
|
from sanic import response as sanic_response
|
|
from uuid import uuid4
|
|
|
|
from app.core._crypto.signer import Signer
|
|
from app.core._secrets import hot_seed
|
|
from app.core.logger import make_log
|
|
from app.core.models.keys import KnownKey
|
|
from app.core.models._telegram.wrapped_bot import Wrapped_CBotChat
|
|
from app.core.models.user_activity import UserActivity
|
|
from app.core.models.user import User
|
|
from sqlalchemy import select
|
|
from app.core.storage import new_session
|
|
from datetime import datetime, timedelta
|
|
from app.core.log_context import (
|
|
ctx_session_id, ctx_user_id, ctx_method, ctx_path, ctx_remote
|
|
)
|
|
|
|
|
|
ENABLE_INTERNAL_CORS = os.getenv("ENABLE_INTERNAL_CORS", "1").lower() in {"1", "true", "yes"}
|
|
|
|
|
|
def attach_headers(response, request=None):
|
|
response.headers.pop("Access-Control-Allow-Origin", None)
|
|
response.headers.pop("Access-Control-Allow-Methods", None)
|
|
response.headers.pop("Access-Control-Allow-Headers", None)
|
|
response.headers.pop("Access-Control-Allow-Credentials", None)
|
|
|
|
if not ENABLE_INTERNAL_CORS:
|
|
return response
|
|
|
|
response.headers["Access-Control-Allow-Origin"] = "*"
|
|
response.headers["Access-Control-Allow-Methods"] = "GET, POST, OPTIONS, PATCH, HEAD"
|
|
response.headers["Access-Control-Allow-Headers"] = (
|
|
"Origin, Content-Type, Accept, Authorization, Referer, User-Agent, Sec-Fetch-Dest, Sec-Fetch-Mode, "
|
|
"Sec-Fetch-Site, Tus-Resumable, tus-resumable, Upload-Length, upload-length, Upload-Offset, upload-offset, "
|
|
"Upload-Metadata, upload-metadata, Upload-Defer-Length, upload-defer-length, Upload-Concat, upload-concat, "
|
|
"x-file-name, x-last-chunk, x-chunk-start, x-upload-id, x-request-id"
|
|
)
|
|
return response
|
|
|
|
|
|
|
|
async def try_authorization(request):
|
|
token = request.headers.get("Authorization")
|
|
if not token:
|
|
return
|
|
|
|
token_bin = b58decode(token)
|
|
if len(token_bin) != 57:
|
|
make_log("auth", "Invalid token length", level="warning")
|
|
return
|
|
|
|
result = await request.ctx.db_session.execute(select(KnownKey).where(KnownKey.seed == token))
|
|
known_key = result.scalars().first()
|
|
if not known_key:
|
|
make_log("auth", "Unknown key", level="warning")
|
|
return
|
|
|
|
if known_key.type != "USER_API_V1":
|
|
make_log("auth", "Invalid key type", level="warning")
|
|
return
|
|
|
|
(
|
|
token_version,
|
|
user_id,
|
|
timestamp,
|
|
randpart
|
|
) = (
|
|
int.from_bytes(token_bin[0:1], 'big'),
|
|
int.from_bytes(token_bin[1:17], 'big'),
|
|
int.from_bytes(token_bin[17:25], 'big'),
|
|
token_bin[25:]
|
|
)
|
|
assert token_version == 1, "Invalid token version"
|
|
assert user_id > 0, "Invalid user_id"
|
|
assert timestamp > 0, "Invalid timestamp"
|
|
|
|
if known_key.meta.get('I_user_id', -1) != user_id:
|
|
make_log("auth", f"User ID mismatch: {known_key.meta.get('I_user_id', -1)} != {user_id}", level="warning")
|
|
return
|
|
|
|
result = await request.ctx.db_session.execute(select(User).where(User.id == known_key.meta['I_user_id']))
|
|
user = result.scalars().first()
|
|
if not user:
|
|
make_log("auth", "No user from key", level="warning")
|
|
return
|
|
|
|
request.ctx.user = user
|
|
request.ctx.user_key = known_key
|
|
|
|
request.ctx.user_uploader_wrapper = Wrapped_CBotChat(request.app.ctx.memory._telegram_bot, chat_id=user.telegram_id, db_session=request.ctx.db_session, user=user)
|
|
request.ctx.user_client_wrapper = Wrapped_CBotChat(request.app.ctx.memory._client_telegram_bot, chat_id=user.telegram_id, db_session=request.ctx.db_session, user=user)
|
|
|
|
|
|
async def try_service_authorization(request):
|
|
signature = request.headers.get('X-Service-Signature')
|
|
if not signature:
|
|
return
|
|
|
|
# TODO: смысл этой проверки если это можно подменить?
|
|
message_hash_b58 = request.headers.get('X-Message-Hash')
|
|
if not message_hash_b58:
|
|
return
|
|
|
|
message_hash = b58decode(message_hash_b58)
|
|
signer = Signer(hot_seed)
|
|
if signer.verify(message_hash, signature):
|
|
request.ctx.verified_hash = message_hash
|
|
|
|
|
|
async def save_activity(request):
|
|
activity_meta = {}
|
|
try:
|
|
activity_meta["path"] = request.path
|
|
if 'system' in activity_meta["path"]:
|
|
return
|
|
except:
|
|
pass
|
|
|
|
try:
|
|
activity_meta["args"] = dict(request.args)
|
|
except:
|
|
pass
|
|
|
|
try:
|
|
activity_meta["json"] = dict(request.json)
|
|
except:
|
|
pass
|
|
|
|
try:
|
|
activity_meta["method"] = request.method
|
|
except:
|
|
pass
|
|
|
|
try:
|
|
activity_meta["ip"] = (request.headers['X-Forwarded-for'] if 'X-Forwarded-for' in request.headers else None) \
|
|
or request.remote_addr or request.ip
|
|
activity_meta["ip"] = activity_meta["ip"].split(",")[0].strip()
|
|
except:
|
|
pass
|
|
|
|
try:
|
|
# Sanitize sensitive headers
|
|
headers = dict(request.headers)
|
|
for hk in list(headers.keys()):
|
|
if str(hk).lower() in [
|
|
'authorization', 'cookie', 'x-service-signature', 'x-message-hash'
|
|
]:
|
|
headers[hk] = '<redacted>'
|
|
activity_meta["headers"] = headers
|
|
except:
|
|
pass
|
|
|
|
new_user_activity = UserActivity(
|
|
type="API_V1_REQUEST",
|
|
meta=activity_meta,
|
|
user_id=request.ctx.user.id if request.ctx.user else None,
|
|
user_ip=activity_meta.get("ip", "0.0.0.0"),
|
|
created=datetime.utcnow()
|
|
)
|
|
request.ctx.db_session.add(new_user_activity)
|
|
await request.ctx.db_session.commit()
|
|
|
|
|
|
async def attach_user_to_request(request):
|
|
if request.method == 'OPTIONS':
|
|
return attach_headers(sanic_response.text("OK"), request)
|
|
|
|
request.ctx.db_session = new_session()
|
|
request.ctx.verified_hash = None
|
|
request.ctx.user = None
|
|
request.ctx.user_key = None
|
|
request.ctx.user_uploader_wrapper = Wrapped_CBotChat(request.app.ctx.memory._telegram_bot, db_session=request.ctx.db_session)
|
|
request.ctx.user_client_wrapper = Wrapped_CBotChat(request.app.ctx.memory._client_telegram_bot, db_session=request.ctx.db_session)
|
|
# Correlation/session id for this request: prefer proxy-provided X-Request-ID
|
|
incoming_req_id = request.headers.get('X-Request-Id') or request.headers.get('X-Request-ID')
|
|
request.ctx.session_id = (incoming_req_id or uuid4().hex)[:32]
|
|
# Populate contextvars for automatic logging context
|
|
try:
|
|
ctx_session_id.set(request.ctx.session_id)
|
|
ctx_method.set(request.method)
|
|
ctx_path.set(request.path)
|
|
_remote = (request.headers.get('X-Forwarded-For') or request.remote_addr or request.ip)
|
|
if _remote and isinstance(_remote, str) and ',' in _remote:
|
|
_remote = _remote.split(',')[0].strip()
|
|
ctx_remote.set(_remote)
|
|
except BaseException:
|
|
pass
|
|
try:
|
|
make_log(
|
|
"HTTP",
|
|
f"Request start sid={request.ctx.session_id} {request.method} {request.path}",
|
|
level='info'
|
|
)
|
|
except BaseException:
|
|
pass
|
|
await try_authorization(request)
|
|
# Update user_id in context after auth
|
|
try:
|
|
if request.ctx.user and request.ctx.user.id:
|
|
ctx_user_id.set(request.ctx.user.id)
|
|
except BaseException:
|
|
pass
|
|
await save_activity(request)
|
|
await try_service_authorization(request)
|
|
|
|
|
|
async def close_request_handler(request, response):
|
|
if request.method == 'OPTIONS':
|
|
response = sanic_response.text("OK")
|
|
|
|
response = attach_headers(response, request)
|
|
|
|
try:
|
|
await request.ctx.db_session.close()
|
|
except BaseException:
|
|
pass
|
|
|
|
try:
|
|
make_log(
|
|
"HTTP",
|
|
f"Request end sid={getattr(request.ctx, 'session_id', None)} {request.method} {request.path} status={getattr(response, 'status', None)}",
|
|
level='info'
|
|
)
|
|
except BaseException:
|
|
pass
|
|
|
|
return request, response
|
|
|
|
|
|
async def close_db_session(request, response):
|
|
request, response = await close_request_handler(request, response)
|
|
# Clear contextvars
|
|
try:
|
|
ctx_session_id.set(None)
|
|
ctx_user_id.set(None)
|
|
ctx_method.set(None)
|
|
ctx_path.set(None)
|
|
ctx_remote.set(None)
|
|
except BaseException:
|
|
pass
|
|
return response
|