k3nny/TISbackup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4337b0e925
TISbackup/libtisbackup/auth/basic_auth.py
k3nny f12d89f3da feat(auth): add pluggable authentication system for Flask routes 
Implement comprehensive authentication system with support for
Basic Auth, Flask-Login, and OAuth2 providers.

Features:
- Pluggable architecture via factory pattern
- Multiple authentication providers:
  * None: No authentication (development/testing)
  * Basic Auth: HTTP Basic with bcrypt support
  * Flask-Login: Session-based with multiple users
  * OAuth2: Google, GitHub, GitLab, and generic providers
- Decorator-based route protection (@auth.require_auth)
- User authorization by domain or email (OAuth)
- bcrypt password hashing support
- Comprehensive documentation and examples

Components:
- libtisbackup/auth/__init__.py: Factory function and exports
- libtisbackup/auth/base.py: Base provider interface
- libtisbackup/auth/basic_auth.py: HTTP Basic Auth implementation
- libtisbackup/auth/flask_login_auth.py: Flask-Login implementation
- libtisbackup/auth/oauth_auth.py: OAuth2 implementation
- libtisbackup/auth/example_integration.py: Integration examples
- libtisbackup/auth/README.md: API reference and examples

Documentation:
- AUTHENTICATION.md: Complete authentication guide
  * Setup instructions for each provider
  * Configuration examples
  * Security best practices
  * Troubleshooting guide
  * Migration guide
- samples/auth-config-examples.ini: Configuration templates

Dependencies:
- Add optional dependencies in pyproject.toml:
  * auth-basic: bcrypt>=4.0.0
  * auth-login: flask-login>=0.6.0, bcrypt>=4.0.0
  * auth-oauth: authlib>=1.3.0, requests>=2.32.0
  * auth-all: All auth providers

Installation:
```bash
# Install specific provider
uv sync --extra auth-basic

# Install all providers
uv sync --extra auth-all
```

Usage:
```python
from libtisbackup.auth import get_auth_provider

# Initialize
auth = get_auth_provider("basic", {
    "username": "admin",
    "password": "$2b$12$...",
    "use_bcrypt": True
})
auth.init_app(app)

# Protect routes
@app.route("/")
@auth.require_auth
def index():
    user = auth.get_current_user()
    return f"Hello {user['username']}"
```

Security features:
- bcrypt password hashing (work factor 12)
- OAuth domain/user restrictions
- Session-based authentication
- Clear separation of concerns
- Environment variable support for secrets

OAuth providers supported:
- Google (OpenID Connect)
- GitHub
- GitLab
- Generic OAuth2 provider

Breaking change: None - new feature, backward compatible
Users can continue without authentication (type=none)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-05 02:02:46 +02:00

79 lines
2.5 KiB
Python
Raw Blame History

#!/usr/bin/python3
# -*- coding: utf-8 -*-
"""
HTTP Basic Authentication provider
"""
import base64
import logging
from functools import wraps
from flask import request
from .base import AuthProvider
class BasicAuthProvider(AuthProvider):
"""HTTP Basic Authentication provider.
Configuration:
username: Required username
password: Required password (plain text, or hashed with bcrypt)
realm: Authentication realm (default: 'TISBackup')
use_bcrypt: If True, password is bcrypt hash (default: False)
"""
def __init__(self, config):
super().__init__(config)
self.logger = logging.getLogger("tisbackup.auth")
self.username = config.get("username")
self.password = config.get("password")
self.realm = config.get("realm", "TISBackup")
self.use_bcrypt = config.get("use_bcrypt", False)
if not self.username or not self.password:
raise ValueError("BasicAuth requires 'username' and 'password' in config")
if self.use_bcrypt:
try:
import bcrypt
self.bcrypt = bcrypt
except ImportError:
raise ImportError("bcrypt library required for password hashing. Install with: pip install bcrypt")
def is_authenticated(self):
"""Check if request has valid Basic Auth credentials."""
auth = request.authorization
if not auth:
return False
if auth.username != self.username:
self.logger.warning(f"Failed authentication attempt for user: {auth.username}")
return False
if self.use_bcrypt:
# Compare bcrypt hash
password_bytes = auth.password.encode('utf-8')
hash_bytes = self.password.encode('utf-8') if isinstance(self.password, str) else self.password
return self.bcrypt.checkpw(password_bytes, hash_bytes)
else:
# Plain text comparison (not recommended for production)
return auth.password == self.password
def handle_unauthorized(self):
"""Return 401 with WWW-Authenticate header."""
from flask import Response
return Response(
'Authentication required',
401,
{'WWW-Authenticate': f'Basic realm="{self.realm}"'}
)
def get_current_user(self):
"""Get current authenticated user."""
auth = request.authorization
if auth and self.is_authenticated():
return {"username": auth.username, "auth_type": "basic"}
return None
Reference in New Issue View Git Blame Copy Permalink