Initial setup for adding support for api key based auth

2025-11-20 19:33:10 +11:00
parent dfcbd9263e
commit 7241c4803f
6 changed files with 248 additions and 7 deletions
--- a/app.py
+++ b/app.py
@@ -16,6 +16,7 @@ from routes.home import home
 from routes.http import http
 from routes.llm import llm
 from routes.auth import auth
+from routes.settings import settings
 from constants import DEFAULT_FUNCTION_NAME, DEFAULT_SCRIPT, DEFAULT_ENVIRONMENT
 from flask_apscheduler import APScheduler
 import asyncio
@@ -43,6 +44,7 @@ app.register_blueprint(home, url_prefix='/home')
 app.register_blueprint(http, url_prefix='/http')
 app.register_blueprint(llm, url_prefix='/llm')
 app.register_blueprint(auth, url_prefix='/auth')
+app.register_blueprint(settings, url_prefix='/settings')

 # Swith to inter app routing, which results in speed up from ~400ms to ~270ms
 # https://stackoverflow.com/questions/76886643/linking-two-not-exposed-dokku-apps
@@ -150,10 +152,30 @@ async def execute_http_function(user_id, function):

        # Check if the function is public, if not check if the user is authenticated and owns the function
        if not is_public:
-            if not current_user.is_authenticated:
-                return redirect(url_for('auth.login', next=request.url))
+            is_authorized = False
+            
+            # 1. Session Authentication
+            if current_user.is_authenticated and int(current_user.id) == user_id:
+                is_authorized = True
+            
+            # 2. API Key Authentication
+            elif 'X-API-Key' in request.headers:
+                api_key_value = request.headers.get('X-API-Key')
+                api_key = db.get_api_key(api_key_value)
+                
+                if api_key and api_key['user_id'] == user_id:
+                    # Check Scopes
+                    scopes = api_key['scopes']
+                    if isinstance(scopes, str):
+                        scopes = json.loads(scopes)
+                        
+                    if "*" in scopes or f"function:{http_function['id']}" in scopes:
+                        is_authorized = True
+                        db.update_api_key_last_used(api_key['id'])

-            if int(current_user.id) != user_id:
+            if not is_authorized:
+                if not current_user.is_authenticated:
+                     return redirect(url_for('auth.login', next=request.url))
                return jsonify({'error': 'Function belongs to another user'}), 404

        request_data = {