espilon-source/tools/C3PO/web/auth.py

"""Authentication decorators for Flask routes."""

import hmac
from functools import wraps
from flask import session, redirect, url_for, request, jsonify


def create_auth_decorators(get_multilat_token):
    """
    Create auth decorators with access to server config.

    Args:
        get_multilat_token: Callable that returns the MLAT API token

    Returns:
        Tuple of (require_login, require_api_auth) decorators
    """

    def require_login(f):
        """Decorator requiring user to be logged in via session."""
        @wraps(f)
        def decorated(*args, **kwargs):
            if not session.get("logged_in"):
                return redirect(url_for("pages.login"))
            return f(*args, **kwargs)
        return decorated

    def require_api_auth(f):
        """Decorator requiring session login OR Bearer token."""
        @wraps(f)
        def decorated(*args, **kwargs):
            # Session auth
            if session.get("logged_in"):
                return f(*args, **kwargs)

            # Bearer token auth
            auth_header = request.headers.get("Authorization", "")
            if auth_header.startswith("Bearer "):
                token = auth_header[7:]
                if hmac.compare_digest(token, get_multilat_token()):
                    return f(*args, **kwargs)

            return jsonify({"error": "Unauthorized"}), 401
        return decorated

    return require_login, require_api_auth