Authentication¶
Autodoc for the two auth models. See Auth flow for the narrative.
Admin auth: JWT + Redis sessions¶
utils
¶
JWT + Redis-session auth helpers, mirrored from skynet-app-api.
Access tokens are HS256 JWTs wrapping a random session token that is looked up in
Redis to resolve the live :class:User. validate_access_token gates any
authenticated route; validate_admin additionally requires role == "admin".
hash_pbkdf2(username, password, salt=None)
¶
Hash username + password with pbkdf2/sha-1; generate a 32-byte salt if absent.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
username
|
str
|
cleartext username. |
required |
password
|
str
|
cleartext password. |
required |
salt
|
Optional[bytes]
|
cleartext random salt (32 bytes); generated when omitted. |
None
|
Returns:
| Type | Description |
|---|---|
bytes
|
base64-encoded salted hash. |
Source code in src/cms_api/authentication/utils.py
verify_pbkdf2_hash(username, password, salted_hash)
¶
Verify username + password against a base64-encoded salted pbkdf2 hash.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
username
|
str
|
cleartext username. |
required |
password
|
str
|
cleartext password. |
required |
salted_hash
|
str
|
base64-encoded stored hash. |
required |
Returns:
| Type | Description |
|---|---|
bool
|
True when the credentials match the stored hash. |
Source code in src/cms_api/authentication/utils.py
generate_jwt_token(data, expires_in=ACCESS_TOKEN_EXPIRE)
¶
Create and return a signed HS256 JWT carrying data with an exp claim.
The exp claim is enforced by jwt.decode on validation, so the token is
rejected once it expires independently of the Redis session TTL.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
data
|
dict
|
payload to sign (e.g. |
required |
expires_in
|
int
|
token lifetime in seconds (default |
ACCESS_TOKEN_EXPIRE
|
Returns:
| Type | Description |
|---|---|
str
|
the signed JWT string. |
Source code in src/cms_api/authentication/utils.py
decode_jwt_session_token(token)
¶
Decode a JWT and return the wrapped Redis session token from its payload.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
token
|
str
|
signed JWT (access or refresh). |
required |
Returns:
| Type | Description |
|---|---|
str
|
the inner session token string. |
Raises:
| Type | Description |
|---|---|
HTTPException
|
when the JWT is invalid or lacks a session token claim. |
Source code in src/cms_api/authentication/utils.py
validate_access_token(token=Depends(oauth2_scheme), request=None)
¶
Resolve the authenticated :class:User for a valid access token.
Decodes the JWT, then looks the wrapped session token up in Redis. Raises
invalid_token_exception (401) for a missing, malformed, expired, or
unknown-session token.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
token
|
str
|
bearer access token. |
Depends(oauth2_scheme)
|
request
|
Request
|
optional request, stamped with |
None
|
Returns:
| Type | Description |
|---|---|
User
|
the matching :class: |
Source code in src/cms_api/authentication/utils.py
validate_admin(token=Depends(oauth2_scheme))
¶
Resolve the authenticated user and require a platform admin role (else 403).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
token
|
str
|
bearer access token. |
Depends(oauth2_scheme)
|
Returns:
| Type | Description |
|---|---|
User
|
the authenticated admin :class: |
Source code in src/cms_api/authentication/utils.py
Worker API key¶
worker
¶
Worker API key validation for the public v2 surface.
validate_worker_api_key(authorization=Header(default=None))
¶
Require Authorization: Bearer <worker-key> on /public/v2 routes.
Raises 503 when the key is not configured (service refuses open v2 reads).