ee6ed1d3c4
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Adds the read+write endpoints the frontend needs to drive a
ProjectionLab-style UX on top of the existing engine.
- /networth, /networth/history — NW total + per-account from
account_snapshot (frontend chart)
- /scenarios CRUD + projection — list/get/create/patch/delete user
scenarios; cartesian read-only
- /scenarios/{id}/life-events — life event CRUD nested under scenario
- /life-events/{id} — patch + delete by id
- /scenarios/{id}/goals,
/goals/{id} — retirement goal CRUD
- /simulate, /compare — sync, no-DB-write what-if endpoints
Auth: Bearer-token dependency on writes + simulate when API_BEARER_TOKEN
is set; reads always open (lock down via Authentik-fronted ingress in
prod). Existing /recompute keeps its bearer auth.
CORS middleware reads FRONTEND_ORIGINS (comma-separated) for the dev
SPA. Lifespan now provisions the SQLAlchemy engine + session_factory
on app.state and disposes them on shutdown.
40 new tests covering happy paths and validation. 172 tests total.
mypy strict + ruff clean (B008 ignore added — Depends() in defaults
is the canonical FastAPI pattern, not a bug).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
42 lines
1.5 KiB
Python
42 lines
1.5 KiB
Python
"""Bearer-token auth shared across routers.
|
|
|
|
Two modes, picked at startup from env:
|
|
- API_BEARER_TOKEN set → enforce Bearer auth on all write/compute paths
|
|
- API_BEARER_TOKEN unset (dev) → no auth, log a one-time warning
|
|
|
|
Read endpoints (`/networth`, `/scenarios`, ...) skip auth entirely so
|
|
the frontend can render without juggling tokens during dev. Lock those
|
|
down later via Authentik-fronted ingress when we deploy.
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
import hmac
|
|
import logging
|
|
import os
|
|
|
|
from fastapi import Header, HTTPException
|
|
|
|
log = logging.getLogger(__name__)
|
|
|
|
_warned_unauth = False
|
|
|
|
|
|
def _read_token() -> str | None:
|
|
return os.environ.get("API_BEARER_TOKEN") or os.environ.get("RECOMPUTE_BEARER_TOKEN")
|
|
|
|
|
|
async def require_bearer(authorization: str | None = Header(default=None)) -> None:
|
|
"""FastAPI dependency: enforce bearer auth IF API_BEARER_TOKEN is set."""
|
|
expected = _read_token()
|
|
if not expected:
|
|
global _warned_unauth
|
|
if not _warned_unauth:
|
|
log.warning("API_BEARER_TOKEN unset — write endpoints are open. "
|
|
"Set it before exposing this service.")
|
|
_warned_unauth = True
|
|
return
|
|
if not authorization or not authorization.startswith("Bearer "):
|
|
raise HTTPException(status_code=401, detail="Missing bearer token")
|
|
token = authorization.removeprefix("Bearer ")
|
|
if not hmac.compare_digest(token, expected):
|
|
raise HTTPException(status_code=401, detail="Invalid token")
|