mirror of
https://github.com/rommapp/romm.git
synced 2026-06-28 06:46:00 +00:00
519abc1645
Implements RFC 8628-style device authorization so clients (argosy-launcher, grout) can pair by display instead of manually copying tokens. Device posts to an open /api/auth/device/init with its identifier and requested scopes; the server returns device_code + user_code + QR URL. User scans QR, lands at /pair/device, approves (optionally editing name/scopes/expiry); the device's next poll on /api/auth/device/token returns a ClientToken bound 1:1 to a newly- created (or deduped) Device record. Downstream endpoints (/play-sessions, /sync/negotiate) infer device_id from the bound token so the client doesn't have to ship it on every call. - Migrations 0080/0081: devices.client_device_identifier (unique per user) and client_tokens.device_id FK (ON DELETE SET NULL) - Five new endpoints under /api/auth/device (init/pending/approve/ deny/token) with Redis-backed state, per-IP rate limits, and RFC-compliant error codes (authorization_pending, slow_down, expired_token, access_denied) - HybridAuthBackend surfaces bound device_id on request.state and bumps devices.last_seen with a 5-minute debounce - /api/users/me returns current_device_id for bound tokens so a device can identify itself from its token alone - Frontend approval screen at /pair/device with editable scopes/ name/expiry (defaults to Never), 3s auto-close countdown - ClientApiTokens settings list shows bound-device chip - 20 i18n keys added to all 17 locales; generated models updated - 52 new tests across 13 classes; full suite 1334 passed Planning and review assisted by Claude Code.
186 lines
5.5 KiB
Python
186 lines
5.5 KiB
Python
from collections.abc import Sequence
|
|
from datetime import datetime, timedelta, timezone
|
|
|
|
from sqlalchemy import delete, select, update
|
|
from sqlalchemy.orm import Session
|
|
|
|
from decorators.database import begin_session
|
|
from models.device import Device, SyncMode
|
|
from utils.datetime import to_utc
|
|
|
|
from .base_handler import DBBaseHandler
|
|
|
|
LAST_SEEN_DEBOUNCE = timedelta(minutes=5)
|
|
|
|
|
|
class DBDevicesHandler(DBBaseHandler):
|
|
@begin_session
|
|
def add_device(
|
|
self,
|
|
device: Device,
|
|
session: Session = None, # type: ignore
|
|
) -> Device:
|
|
return session.merge(device)
|
|
|
|
@begin_session
|
|
def get_device(
|
|
self,
|
|
device_id: str,
|
|
user_id: int,
|
|
session: Session = None, # type: ignore
|
|
) -> Device | None:
|
|
return session.scalar(
|
|
select(Device).filter_by(id=device_id, user_id=user_id).limit(1)
|
|
)
|
|
|
|
@begin_session
|
|
def get_device_by_fingerprint(
|
|
self,
|
|
user_id: int,
|
|
mac_address: str | None = None,
|
|
hostname: str | None = None,
|
|
ip_address: str | None = None,
|
|
platform: str | None = None,
|
|
session: Session = None, # type: ignore
|
|
) -> Device | None:
|
|
if mac_address:
|
|
device = session.scalar(
|
|
select(Device)
|
|
.filter_by(user_id=user_id, mac_address=mac_address)
|
|
.limit(1)
|
|
)
|
|
if device:
|
|
return device
|
|
|
|
if ip_address and platform:
|
|
return session.scalar(
|
|
select(Device)
|
|
.filter_by(user_id=user_id, ip_address=ip_address, platform=platform)
|
|
.limit(1)
|
|
)
|
|
|
|
if hostname and platform:
|
|
return session.scalar(
|
|
select(Device)
|
|
.filter_by(user_id=user_id, hostname=hostname, platform=platform)
|
|
.limit(1)
|
|
)
|
|
|
|
return None
|
|
|
|
@begin_session
|
|
def get_device_by_id(
|
|
self,
|
|
device_id: str,
|
|
session: Session = None, # type: ignore
|
|
) -> Device | None:
|
|
"""Get a device by ID without user filtering (for server-side operations)."""
|
|
return session.scalar(select(Device).filter_by(id=device_id).limit(1))
|
|
|
|
@begin_session
|
|
def get_device_by_client_identifier(
|
|
self,
|
|
user_id: int,
|
|
client_device_identifier: str,
|
|
session: Session = None, # type: ignore
|
|
) -> Device | None:
|
|
"""Find a device by its client-supplied stable identifier, scoped to a user."""
|
|
if not client_device_identifier:
|
|
return None
|
|
return session.scalar(
|
|
select(Device)
|
|
.filter_by(
|
|
user_id=user_id,
|
|
client_device_identifier=client_device_identifier,
|
|
)
|
|
.limit(1)
|
|
)
|
|
|
|
@begin_session
|
|
def get_devices(
|
|
self,
|
|
user_id: int,
|
|
session: Session = None, # type: ignore
|
|
) -> Sequence[Device]:
|
|
return session.scalars(select(Device).filter_by(user_id=user_id)).all()
|
|
|
|
@begin_session
|
|
def get_all_devices_by_sync_mode(
|
|
self,
|
|
sync_mode: SyncMode,
|
|
session: Session = None, # type: ignore
|
|
) -> Sequence[Device]:
|
|
"""Get all devices with a specific sync mode (across all users)."""
|
|
return session.scalars(select(Device).filter_by(sync_mode=sync_mode)).all()
|
|
|
|
@begin_session
|
|
def update_device(
|
|
self,
|
|
device_id: str,
|
|
user_id: int,
|
|
data: dict,
|
|
session: Session = None, # type: ignore
|
|
) -> Device | None:
|
|
session.execute(
|
|
update(Device)
|
|
.where(Device.id == device_id, Device.user_id == user_id)
|
|
.values(**data)
|
|
.execution_options(synchronize_session="evaluate")
|
|
)
|
|
return session.scalar(
|
|
select(Device).filter_by(id=device_id, user_id=user_id).limit(1)
|
|
)
|
|
|
|
@begin_session
|
|
def update_last_seen(
|
|
self,
|
|
device_id: str,
|
|
user_id: int,
|
|
session: Session = None, # type: ignore
|
|
) -> None:
|
|
session.execute(
|
|
update(Device)
|
|
.where(Device.id == device_id, Device.user_id == user_id)
|
|
.values(last_seen=datetime.now(timezone.utc))
|
|
.execution_options(synchronize_session="evaluate")
|
|
)
|
|
|
|
@begin_session
|
|
def update_last_seen_debounced(
|
|
self,
|
|
device_id: str,
|
|
session: Session = None, # type: ignore
|
|
) -> None:
|
|
"""Bump last_seen on the device, skipping if updated within the debounce window.
|
|
|
|
Intended for the auth hot path -- called on every authenticated client-token
|
|
request. Mirrors the debounce used by ClientToken.update_last_used.
|
|
"""
|
|
now = datetime.now(timezone.utc)
|
|
device = session.get(Device, device_id)
|
|
if device is None:
|
|
return
|
|
|
|
if device.last_seen and (now - to_utc(device.last_seen)) < LAST_SEEN_DEBOUNCE:
|
|
return
|
|
|
|
session.execute(
|
|
update(Device)
|
|
.where(Device.id == device_id)
|
|
.values(last_seen=now)
|
|
.execution_options(synchronize_session="evaluate")
|
|
)
|
|
|
|
@begin_session
|
|
def delete_device(
|
|
self,
|
|
device_id: str,
|
|
user_id: int,
|
|
session: Session = None, # type: ignore
|
|
) -> None:
|
|
session.execute(
|
|
delete(Device)
|
|
.where(Device.id == device_id, Device.user_id == user_id)
|
|
.execution_options(synchronize_session="evaluate")
|
|
)
|