Home Explore Help
Register Sign In
ai
/
OpenHands
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 7071742d4a
Branches Tags
OpenHands
/
openhands
/
server
/
routes
/
auth.py

auth.py 2.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100 
  1. import time
    2. 

  2. import warnings
    3. 

  3. 

  4. import requests
    5. 

  5. 

  6. from openhands.server.github_utils import (
    7. 

  7.     GITHUB_CLIENT_ID,
    8. 

  8.     GITHUB_CLIENT_SECRET,
    9. 

  9.     authenticate_github_user,
    10. 

  10. )
    11. 

  11. 

  12. with warnings.catch_warnings():
    13. 

  13.     warnings.simplefilter('ignore')
    14. 

  14. 

  15. from fastapi import (
    16. 

  16.     APIRouter,
    17. 

  17.     Request,
    18. 

  18.     status,
    19. 

  19. )
    20. 

  20. from fastapi.responses import JSONResponse
    21. 

  21. from pydantic import BaseModel
    22. 

  22. 

  23. from openhands.core.logger import openhands_logger as logger
    24. 

  24. from openhands.server.auth import sign_token
    25. 

  25. from openhands.server.shared import config
    26. 

  26. 

  27. app = APIRouter(prefix='/api')
    28. 

  28. 

  29. 

  30. class AuthCode(BaseModel):
    31. 

  31.     code: str
    32. 

  32. 

  33. 

  34. @app.post('/github/callback')
    35. 

  35. def github_callback(auth_code: AuthCode):
    36. 

  36.     # Prepare data for the token exchange request
    37. 

  37.     data = {
    38. 

  38.         'client_id': GITHUB_CLIENT_ID,
    39. 

  39.         'client_secret': GITHUB_CLIENT_SECRET,
    40. 

  40.         'code': auth_code.code,
    41. 

  41.     }
    42. 

  42. 

  43.     logger.debug('Exchanging code for GitHub token')
    44. 

  44. 

  45.     headers = {'Accept': 'application/json'}
    46. 

  46.     response = requests.post(
    47. 

  47.         'https://github.com/login/oauth/access_token', data=data, headers=headers
    48. 

  48.     )
    49. 

  49. 

  50.     if response.status_code != 200:
    51. 

  51.         logger.error(f'Failed to exchange code for token: {response.text}')
    52. 

  52.         return JSONResponse(
    53. 

  53.             status_code=status.HTTP_400_BAD_REQUEST,
    54. 

  54.             content={'error': 'Failed to exchange code for token'},
    55. 

  55.         )
    56. 

  56. 

  57.     token_response = response.json()
    58. 

  58. 

  59.     if 'access_token' not in token_response:
    60. 

  60.         return JSONResponse(
    61. 

  61.             status_code=status.HTTP_400_BAD_REQUEST,
    62. 

  62.             content={'error': 'No access token in response'},
    63. 

  63.         )
    64. 

  64. 

  65.     return JSONResponse(
    66. 

  66.         status_code=status.HTTP_200_OK,
    67. 

  67.         content={'access_token': token_response['access_token']},
    68. 

  68.     )
    69. 

  69. 

  70. 

  71. @app.post('/authenticate')
    72. 

  72. async def authenticate(request: Request):
    73. 

  73.     token = request.headers.get('X-GitHub-Token')
    74. 

  74.     if not await authenticate_github_user(token):
    75. 

  75.         return JSONResponse(
    76. 

  76.             status_code=status.HTTP_401_UNAUTHORIZED,
    77. 

  77.             content={'error': 'Not authorized via GitHub waitlist'},
    78. 

  78.         )
    79. 

  79. 

  80.     # Create a signed JWT token with 1-hour expiration
    81. 

  81.     cookie_data = {
    82. 

  82.         'github_token': token,
    83. 

  83.         'exp': int(time.time()) + 3600,  # 1 hour expiration
    84. 

  84.     }
    85. 

  85.     signed_token = sign_token(cookie_data, config.jwt_secret)
    86. 

  86. 

  87.     response = JSONResponse(
    88. 

  88.         status_code=status.HTTP_200_OK, content={'message': 'User authenticated'}
    89. 

  89.     )
    90. 

  90. 

  91.     # Set secure cookie with signed token
    92. 

  92.     response.set_cookie(
    93. 

  93.         key='github_auth',
    94. 

  94.         value=signed_token,
    95. 

  95.         max_age=3600,  # 1 hour in seconds
    96. 

  96.         httponly=True,
    97. 

  97.         secure=True,
    98. 

  98.         samesite='strict',
    99. 

  99.     )
    100. 

  100.     return response
    101.