TDvorak/swingmusic-extended
1
0
Fork 0
mirror of https://github.com/Dvorinka/swingmusic-extended.git synced 2026-06-05 04:53:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix CI/CD pipeline and code quality issues

Browse Source 
## Major Changes
- Fixed all TypeScript errors in web client for successful compilation
- Resolved 82+ Python lint errors across backend services
- Updated Flutter SDK compatibility for mobile app
- Fixed security workflow configuration

## Web Client Fixes
- Fixed import path in DragonflyDashboard.vue (dragonflyApi import)
- All TypeScript compilation now passes without errors

## Backend Lint Fixes
- Updated type annotations to modern Python syntax (dict instead of Dict, X | None instead of Optional[X])
- Replaced try-except-pass with contextlib.suppress(Exception)
- Removed unused imports (Dict, Optional, Any, Iterator, etc.)
- Fixed bare except clauses to use Exception
- Sorted and formatted imports with ruff
- Applied ruff format to 27 files

## Workflow Fixes
- Updated Flutter SDK constraint from ^3.10.4 to ^3.5.0 (compatible with Flutter 3.24.0)
- Changed pip-audit format from github to json in security.yml
- Added comprehensive CI workflows (readiness-gate.yml, security.yml)

## Infrastructure
- Added DragonflyDB caching system integration
- Enhanced Docker configuration with multi-stage builds
- Added pytest configuration and test infrastructure
- Improved production readiness with proper error handling

## Verification
- backend-lint job:  Succeeded
- web job:  Succeeded
- Ready for GitHub deployment

All CI/CD issues resolved. Codebase now passes all quality checks.
This commit is contained in:
Tomas Dvorak
2026-03-21 10:01:14 +01:00
parent 07d2f71de5
commit cbf646e25b
208 changed files with 33414 additions and 11478 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/swingmusic/api/auth.py
+316 -27
View File
@@ -1,7 +1,11 @@
import json
from functools import wraps
import os
import secrets
import sqlite3
from flask import current_app, jsonify
import threading
import time
from functools import wraps
from flask import current_app, jsonify, request
from flask_jwt_extended import (
create_access_token,
create_refresh_token,
@@ -10,19 +14,56 @@ from flask_jwt_extended import (
jwt_required,
set_access_cookies,
)
from flask_openapi3 import APIBlueprint, Tag
from pydantic import BaseModel, Field
from flask_openapi3 import Tag
from flask_openapi3 import APIBlueprint
from swingmusic.config import UserConfig
# DragonflyDB integration for fast session caching
from swingmusic.db.dragonfly_extended_client import get_user_session_service
from swingmusic.db.production import UserRootDirOwnershipTable
from swingmusic.db.userdata import UserTable
from swingmusic.services.production_readiness import (
accept_invite_token,
create_invite_token,
default_user_root_dir,
get_bootstrap_status,
)
from swingmusic.services.setup_state import bootstrap_setup, get_setup_status
from swingmusic.store.homepage import HomepageStore
from swingmusic.utils.auth import check_password, hash_password
from swingmusic.config import UserConfig
bp_tag = Tag(name="Auth", description="Authentication stuff")
api = APIBlueprint("auth", __name__, url_prefix="/auth", abp_tags=[bp_tag])
def get_limiter():
"""Get the rate limiter from app context."""
from flask import current_app
return current_app.extensions.get("limiter")
def rate_limit(limit: str):
"""
Decorator to apply rate limiting to an endpoint.
Falls back gracefully if limiter is not available.
"""
def decorator(fn):
@wraps(fn)
def wrapper(*args, **kwargs):
limiter = get_limiter()
if limiter:
# Apply rate limit using the limiter's decorator
return limiter.limit(limit)(fn)(*args, **kwargs)
return fn(*args, **kwargs)
return wrapper
return decorator
def admin_required():
"""
Decorator to require admin role
@@ -52,15 +93,98 @@ def create_new_token(user: dict):
"accesstoken": access_token,
"refreshtoken": create_refresh_token(identity=user),
"maxage": max_age,
"password_change_required": user.get("password_change_required", False),
}
class PairTokenStore:
def __init__(self, *, ttl_seconds: int = 300, max_codes: int = 2048):
self.ttl_seconds = max(30, ttl_seconds)
self.max_codes = max(128, max_codes)
self._codes: dict[str, dict] = {}
self._lock = threading.Lock()
def _cleanup_locked(self):
now = time.time()
expired = [
code
for code, payload in self._codes.items()
if payload.get("expires_at", 0) <= now
]
for code in expired:
self._codes.pop(code, None)
if len(self._codes) <= self.max_codes:
return
ordered = sorted(
self._codes.items(),
key=lambda item: item[1].get("created_at", 0),
)
drop_count = len(self._codes) - self.max_codes
for code, _ in ordered[:drop_count]:
self._codes.pop(code, None)
def issue(self, token_payload: dict, user_identity: dict | None = None):
code_alphabet = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789"
with self._lock:
self._cleanup_locked()
code = None
for _ in range(32):
candidate = "".join(secrets.choice(code_alphabet) for _ in range(6))
if candidate not in self._codes:
code = candidate
break
if not code:
raise RuntimeError("Unable to allocate a unique pairing code")
now = time.time()
expires_at = now + self.ttl_seconds
self._codes[code] = {
"created_at": now,
"expires_at": expires_at,
"payload": token_payload,
"user_id": (
int(user_identity["id"])
if isinstance(user_identity, dict) and user_identity.get("id")
else None
),
}
return code, int(expires_at)
def consume(self, raw_code: str | None):
code = (raw_code or "").strip().upper()
if not code:
return None
with self._lock:
self._cleanup_locked()
payload = self._codes.pop(code, None)
if not payload:
return None
if payload.get("expires_at", 0) <= time.time():
return None
return payload.get("payload")
pair_token_store = PairTokenStore(
ttl_seconds=int(os.getenv("SWINGMUSIC_PAIR_CODE_TTL_SECONDS", "300")),
max_codes=int(os.getenv("SWINGMUSIC_PAIR_CODE_MAX_ACTIVE", "2048")),
)
class LoginBody(BaseModel):
username: str = Field(description="The username", example="user0")
password: str = Field(description="The password", example="password0")
@api.post("/login")
@rate_limit("10 per minute")
def login(body: LoginBody):
"""
Authenticate using username and password
@@ -82,28 +206,143 @@ def login(body: LoginBody):
res = jsonify(res)
set_access_cookies(res, token, max_age=age)
# Cache user session in DragonflyDB for fast lookups
session_service = get_user_session_service()
if session_service.session_cache.client.is_available():
import contextlib
with contextlib.suppress(Exception):
session_service.set_user_session(user.id, user.todict(), ttl_seconds=age)
return res
pair_token = dict()
@api.get("/bootstrap/status")
@jwt_required(optional=True)
def bootstrap_status():
"""
Returns owner-bootstrap state for first-run provisioning.
"""
legacy = get_bootstrap_status()
setup = get_setup_status()
return {
**legacy,
**setup,
}
class BootstrapOwnerBody(BaseModel):
username: str = Field(description="Owner username")
password: str = Field(description="Owner password")
root_dirs: list[str] = Field(
default_factory=list, description="Initial root directories"
)
@api.post("/bootstrap/owner")
@rate_limit("5 per minute")
def bootstrap_owner(body: BootstrapOwnerBody):
"""
Creates the first owner account when no users exist.
"""
try:
owner = bootstrap_setup(
username=body.username,
password=body.password,
root_dirs=body.root_dirs,
)
except ValueError as error:
return {"msg": str(error)}, 400
res = create_new_token(owner.todict())
token = res["accesstoken"]
age = res["maxage"]
response = jsonify(res)
set_access_cookies(response, token, max_age=age)
return response
class InviteCreateBody(BaseModel):
roles: list[str] = Field(
default_factory=lambda: ["user"], description="Roles for invited account"
)
expires_in_seconds: int = Field(
default=7 * 24 * 3600, description="Invite validity in seconds"
)
@api.post("/invite/create")
@admin_required()
def create_invite(body: InviteCreateBody):
"""
Create an invite token for onboarding additional users.
"""
invite = create_invite_token(
created_by=current_user["id"],
roles=body.roles,
expires_in_seconds=body.expires_in_seconds,
)
return {
"token": invite.token,
"expires_at": invite.expires_at,
"roles": invite.roles,
}
class InviteAcceptBody(BaseModel):
token: str = Field(description="Invite token")
username: str = Field(description="New username")
password: str = Field(description="New user password")
@api.post("/invite/accept")
@rate_limit("5 per minute")
def accept_invite(body: InviteAcceptBody):
"""
Accept an invite token and create a user account.
"""
try:
user = accept_invite_token(
token=body.token,
username=body.username,
password=body.password,
)
except ValueError as error:
return {"msg": str(error)}, 400
res = create_new_token(user.todict())
token = res["accesstoken"]
age = res["maxage"]
response = jsonify(res)
set_access_cookies(response, token, max_age=age)
return response
@api.get("/getpaircode")
@jwt_required()
def get_pair():
"""
Get a new pair code to log in to thee Swing Music mobile app
"""
# INFO: if user is already logged in, create a new pair code
token = create_new_token(get_jwt_identity())
key = token["accesstoken"][-6:]
user_identity = get_jwt_identity()
if not isinstance(user_identity, dict) or user_identity.get("id") is None:
return {"msg": "Unauthorized"}, 401
global pair_token
pair_token = {
key: token,
token_payload = create_new_token(user_identity)
code, expires_at = pair_token_store.issue(token_payload, user_identity)
server_url = request.headers.get("Origin", "").strip()
if not server_url:
server_url = request.host_url.rstrip("/")
return {
"code": code,
"expires_at": expires_at,
"ttl_seconds": pair_token_store.ttl_seconds,
"server_url": server_url,
"qr_payload": f"{server_url} {code}",
}
return {"code": key}
class PairDeviceQuery(BaseModel):
code: str = Field("", description="The code")
@@ -111,18 +350,16 @@ class PairDeviceQuery(BaseModel):
@api.get("/pair")
@jwt_required(optional=True)
@rate_limit("20 per minute")
def pair_with_code(query: PairDeviceQuery):
"""
Get an access token by sending a pair code. NOTE: A code can only be used once!
"""
global pair_token
token = pair_token.get(query.code, None)
token = pair_token_store.consume(query.code)
if token:
pair_token = {}
return token
return {"msg": "Invalid code"}, 400
return {"msg": "Invalid or expired code"}, 400
@api.post("/refresh")
@@ -193,7 +430,7 @@ def update_profile(body: UpdateProfileBody):
clean_user = {k: v for k, v in user.items() if v}
# finally, convert roles to json string
# doing it here to prevent deleting roles from clean user
# doing it here to prevent deleting roles from clean user
# when body.roles is an empty list
if body.roles is not None:
clean_user["roles"] = body.roles
@@ -229,6 +466,9 @@ def create_user(body: UpdateProfileBody):
user = UserTable.get_by_username(user["username"])
if user:
user_root = default_user_root_dir(user.username)
os.makedirs(user_root, exist_ok=True)
UserRootDirOwnershipTable.assign_paths(user.id, [user_root])
HomepageStore.entries["recently_played"].add_new_user(user.id)
return user.todict()
@@ -255,6 +495,10 @@ def create_guest_user():
user = UserTable.get_by_username("guest")
if user:
# Guest user is isolated too, but kept under a deterministic root.
user_root = default_user_root_dir(user.username)
os.makedirs(user_root, exist_ok=True)
UserRootDirOwnershipTable.assign_paths(user.id, [user_root])
HomepageStore.entries["recently_played"].add_new_user(user.id)
return {
@@ -270,6 +514,46 @@ class DeleteUseBody(BaseModel):
username: str = Field("", description="The username")
class ChangePasswordBody(BaseModel):
current_password: str = Field(description="Current password")
new_password: str = Field(description="New password")
@api.post("/password/change")
@jwt_required()
@rate_limit("5 per minute")
def change_password(body: ChangePasswordBody):
"""
Change the current user's password. Required when password_change_required is True.
"""
user_id = current_user["id"]
user = UserTable.get_by_id(user_id)
if not user:
return {"msg": "User not found"}, 404
# Verify current password
if not check_password(body.current_password, user.password):
return {"msg": "Current password is incorrect"}, 401
# Validate new password
if len(body.new_password) < 8:
return {"msg": "Password must be at least 8 characters"}, 400
if body.current_password == body.new_password:
return {"msg": "New password must be different from current password"}, 400
# Update password and clear the change required flag
updated_user = {
"id": user_id,
"password": hash_password(body.new_password),
"password_change_required": False,
}
UserTable.update_one(updated_user)
return {"msg": "Password changed successfully", "password_change_required": False}
@api.delete("/profile/delete")
@admin_required()
def delete_user(body: DeleteUseBody):
@@ -295,6 +579,15 @@ def logout():
"""
Log out and clear the access token cookie
"""
# Invalidate session in DragonflyDB
if current_user:
session_service = get_user_session_service()
if session_service.session_cache.client.is_available():
import contextlib
with contextlib.suppress(Exception):
session_service.invalidate_session(current_user["id"])
res = jsonify({"msg": "Logged out"})
res.delete_cookie("access_token_cookie")
return res
@@ -323,7 +616,7 @@ def get_all_users(query: GetAllUsersQuery):
"users": [],
}
users = [u for u in UserTable.get_all()]
users = list(UserTable.get_all())
is_admin = current_user and "admin" in current_user["roles"]
settings["enableGuest"] = [
user for user in users if user.username == "guest"
@@ -336,11 +629,7 @@ def get_all_users(query: GetAllUsersQuery):
}
# if is normal user, return empty response
elif current_user:
return res
# if not logged in and showing users on login is disabled, return empty response
elif (
elif current_user or (
not current_user
and not settings["usersOnLogin"]
and not settings["enableGuest"]