music-assistant-server
9.6 KB•PY
auth_middleware.py
9.6 KB • 281 lines • python
1"""Authentication middleware and helpers for HTTP requests and WebSocket connections."""
2
3from __future__ import annotations
4
5import logging
6from contextvars import ContextVar
7from typing import TYPE_CHECKING, Any, cast
8
9from aiohttp import web
10from music_assistant_models.auth import AuthProviderType, User, UserRole
11
12from music_assistant.constants import HOMEASSISTANT_SYSTEM_USER, MASS_LOGGER_NAME, VERBOSE_LOG_LEVEL
13
14from .auth_providers import get_ha_user_details, get_ha_user_role
15
16LOGGER = logging.getLogger(f"{MASS_LOGGER_NAME}.auth")
17
18if TYPE_CHECKING:
19 from music_assistant import MusicAssistant
20
21# Context key for storing authenticated user in request
22USER_CONTEXT_KEY = "authenticated_user"
23
24# ContextVar for tracking current user and token across async calls
25current_user: ContextVar[User | None] = ContextVar("current_user", default=None)
26current_token: ContextVar[str | None] = ContextVar("current_token", default=None)
27# ContextVar for tracking the sendspin player associated with the current connection
28sendspin_player_id: ContextVar[str | None] = ContextVar("sendspin_player_id", default=None)
29
30
31async def get_authenticated_user(request: web.Request) -> User | None:
32 """Get authenticated user from request.
33
34 :param request: The aiohttp request.
35 """
36 # Check if user is already in context (from middleware)
37 if USER_CONTEXT_KEY in request:
38 return cast("User | None", request[USER_CONTEXT_KEY])
39
40 mass: MusicAssistant = request.app["mass"]
41
42 # Check for Home Assistant Ingress connections
43 if is_request_from_ingress(request):
44 ingress_user_id = request.headers.get("X-Remote-User-ID")
45 ingress_username = request.headers.get("X-Remote-User-Name")
46 ingress_display_name = request.headers.get("X-Remote-User-Display-Name")
47
48 # Require all Ingress headers to be present for security
49 if not (ingress_user_id and ingress_username):
50 return None
51
52 # Try to find existing user linked to this HA user ID
53 user = await mass.webserver.auth.get_user_by_provider_link(
54 AuthProviderType.HOME_ASSISTANT, ingress_user_id
55 )
56 if not user:
57 user = await mass.webserver.auth.get_user_by_username(ingress_username)
58 if not user:
59 # New user - fetch details from HA
60 ha_username, ha_display_name, avatar_url = await get_ha_user_details(
61 mass, ingress_user_id
62 )
63 role = await get_ha_user_role(mass, ingress_user_id)
64 user = await mass.webserver.auth.create_user(
65 username=ha_username or ingress_username,
66 role=role,
67 display_name=ha_display_name or ingress_display_name,
68 avatar_url=avatar_url,
69 )
70
71 # Link to Home Assistant provider (or create the link if user already existed)
72 await mass.webserver.auth.link_user_to_provider(
73 user, AuthProviderType.HOME_ASSISTANT, ingress_user_id
74 )
75
76 # Update user with HA details if available (HA is source of truth)
77 # Fall back to ingress headers if API lookup doesn't return values
78 _, ha_display_name, avatar_url = await get_ha_user_details(mass, ingress_user_id)
79 final_display_name = ha_display_name or ingress_display_name
80 LOGGER.log(
81 VERBOSE_LOG_LEVEL,
82 "Ingress auth for user %s: ha_display_name=%s, ingress_display_name=%s, "
83 "final_display_name=%s, avatar_url=%s",
84 user.username,
85 ha_display_name,
86 ingress_display_name,
87 final_display_name,
88 avatar_url,
89 )
90 if final_display_name or avatar_url:
91 user = await mass.webserver.auth.update_user(
92 user,
93 display_name=final_display_name,
94 avatar_url=avatar_url,
95 )
96 LOGGER.log(
97 VERBOSE_LOG_LEVEL,
98 "Updated user %s: display_name=%s, avatar_url=%s",
99 user.username,
100 user.display_name,
101 user.avatar_url,
102 )
103
104 # Store in request context
105 request[USER_CONTEXT_KEY] = user
106 return user
107
108 # Try to authenticate from Authorization header
109 auth_header = request.headers.get("Authorization")
110 if not auth_header:
111 return None
112
113 # Expected format: "Bearer <token>"
114 parts = auth_header.split(" ", 1)
115 if len(parts) != 2 or parts[0].lower() != "bearer":
116 return None
117
118 token = parts[1]
119
120 # Authenticate with token (works for both user tokens and API keys)
121 user = await mass.webserver.auth.authenticate_with_token(token)
122 if user:
123 # Security: Deny homeassistant system user on regular (non-Ingress) webserver
124 if not is_request_from_ingress(request) and user.username == HOMEASSISTANT_SYSTEM_USER:
125 # Reject system user on regular webserver (should only use Ingress server)
126 return None
127
128 # Store in request context
129 request[USER_CONTEXT_KEY] = user
130
131 return user
132
133
134async def require_authentication(request: web.Request) -> User:
135 """Require authentication for a request, raise 401 if not authenticated.
136
137 :param request: The aiohttp request.
138 """
139 user = await get_authenticated_user(request)
140 if not user:
141 raise web.HTTPUnauthorized(
142 text="Authentication required",
143 headers={"WWW-Authenticate": 'Bearer realm="Music Assistant"'},
144 )
145 return user
146
147
148async def require_admin(request: web.Request) -> User:
149 """Require admin role for a request, raise 403 if not admin.
150
151 :param request: The aiohttp request.
152 """
153 user = await require_authentication(request)
154 if user.role != UserRole.ADMIN:
155 raise web.HTTPForbidden(text="Admin access required")
156 return user
157
158
159def get_current_user() -> User | None:
160 """
161 Get the current authenticated user from context.
162
163 :return: The current user or None if not authenticated.
164 """
165 return current_user.get()
166
167
168def set_current_user(user: User | None) -> None:
169 """
170 Set the current authenticated user in context.
171
172 :param user: The user to set as current.
173 """
174 current_user.set(user)
175
176
177def get_current_token() -> str | None:
178 """
179 Get the current authentication token from context.
180
181 :return: The current token or None if not authenticated.
182 """
183 return current_token.get()
184
185
186def set_current_token(token: str | None) -> None:
187 """
188 Set the current authentication token in context.
189
190 :param token: The token to set as current.
191 """
192 current_token.set(token)
193
194
195def get_sendspin_player_id() -> str | None:
196 """Get the sendspin player ID associated with the current connection.
197
198 :return: The sendspin player ID or None if not a sendspin connection.
199 """
200 return sendspin_player_id.get()
201
202
203def set_sendspin_player_id(player_id: str | None) -> None:
204 """Set the sendspin player ID for the current connection.
205
206 :param player_id: The sendspin player ID to set.
207 """
208 sendspin_player_id.set(player_id)
209
210
211def is_request_from_ingress(request: web.Request) -> bool:
212 """Check if request is coming from Home Assistant Ingress (internal network).
213
214 Security is enforced by socket-level verification (IP/port binding), not headers.
215 Only requests on the internal ingress TCP site (172.30.32.x:8094) are accepted.
216
217 :param request: The aiohttp request.
218 """
219 # Check if ingress site is configured in the app
220 ingress_site_params = request.app.get("ingress_site")
221 if not ingress_site_params:
222 # No ingress site configured, can't be an ingress request
223 return False
224
225 try:
226 # Security: Verify the request came through the ingress site by checking socket
227 # to prevent bypassing authentication on the regular webserver
228 transport = request.transport
229 if transport:
230 sockname = transport.get_extra_info("sockname")
231 if sockname and len(sockname) >= 2:
232 server_ip, server_port = sockname[0], sockname[1]
233 expected_ip, expected_port = ingress_site_params
234 # Request must match the ingress site's bind address and port
235 return bool(server_ip == expected_ip and server_port == expected_port)
236 except Exception: # noqa: S110
237 pass
238
239 return False
240
241
242@web.middleware
243async def auth_middleware(request: web.Request, handler: Any) -> web.StreamResponse:
244 """Authenticate requests and store user in context.
245
246 :param request: The aiohttp request.
247 :param handler: The request handler.
248 """
249 # Skip authentication for ingress requests (HA handles auth)
250 if is_request_from_ingress(request):
251 return cast("web.StreamResponse", await handler(request))
252
253 # Unauthenticated routes (static files, info, login, setup, etc.)
254 unauthenticated_paths = [
255 "/info",
256 "/login",
257 "/setup",
258 "/auth/",
259 "/api-docs/",
260 "/assets/",
261 "/favicon.ico",
262 "/manifest.json",
263 "/index.html",
264 "/",
265 ]
266
267 # Check if path should bypass auth
268 for path_prefix in unauthenticated_paths:
269 if request.path.startswith(path_prefix):
270 return cast("web.StreamResponse", await handler(request))
271
272 # Try to authenticate
273 user = await get_authenticated_user(request)
274
275 # Store user in context (might be None for unauthenticated requests)
276 request[USER_CONTEXT_KEY] = user
277
278 # Let the handler decide if authentication is required
279 # The handler will call require_authentication() if needed
280 return cast("web.StreamResponse", await handler(request))
281