gru/pyTorrent
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

auth providers

Browse Source
This commit is contained in:
Mateusz Gruszczyński
2026-05-25 08:38:08 +02:00
parent f79e072610
commit 352c53617c
8 changed files with 235 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
.env.example
View File

@@ -3,8 +3,8 @@ PYTORRENT_DB_PATH=data/pytorrent.sqlite3
PYTORRENT_HOST=0.0.0.0
PYTORRENT_PORT=8090
PYTORRENT_DEBUG=0
PYTORRENT_POLL_INTERVAL=0.5
MIN_POLL_INTERVAL_SECONDS=0.5
PYTORRENT_POLL_INTERVAL=1
MIN_POLL_INTERVAL_SECONDS=1
PYTORRENT_WORKERS=16
PYTORRENT_GEOIP_DB=data/GeoLite2-City.mmdb
PYTORRENT_ALLOW_UNSAFE_WERKZEUG=0
@@ -13,9 +13,6 @@ PYTORRENT_SCGI_RETRIES=8
# css/js libs
PYTORRENT_USE_OFFLINE_LIBS=true
# python -m pytorrent.cli reset-password admin new_Pass
PYTORRENT_AUTH_ENABLE=false
# Reverse proxy / HTTPS
PYTORRENT_PROXY_FIX_ENABLE=false
PYTORRENT_SESSION_COOKIE_SECURE=false
@@ -41,4 +38,34 @@ PYTORRENT_LOG_DIR=data/logs
PYTORRENT_LOG_RETENTION_HOURS=24
PYTORRENT_GUNICORN_ACCESS_LOG=data/logs/gunicorn-access.log
PYTORRENT_GUNICORN_ERROR_LOG=data/logs/gunicorn-error.log
PYTORRENT_GUNICORN_LOG_LEVEL=info
PYTORRENT_GUNICORN_LOG_LEVEL=info
#### AUTH
# python -m pytorrent.cli reset-password admin new_Pass
PYTORRENT_AUTH_ENABLE=false
# Authentication provider
# Available variants:
# - local = built-in login screen with username/password
# - tinyauth = external auth via Tinyauth / reverse proxy headers
# - proxy = generic external reverse proxy auth
PYTORRENT_AUTH_PROVIDER=tinyauth
# Headers passed by Tinyauth
PYTORRENT_AUTH_PROXY_USER_HEADER=Remote-User
PYTORRENT_AUTH_PROXY_EMAIL_HEADER=Remote-Email
PYTORRENT_AUTH_PROXY_NAME_HEADER=Remote-Name
PYTORRENT_AUTH_PROXY_SUB_HEADER=Remote-Sub
# Headers passed by external reverse proxy
#PYTORRENT_AUTH_PROXY_USER_HEADER=X-Forwarded-User
#PYTORRENT_AUTH_PROXY_EMAIL_HEADER=X-Forwarded-Email
#PYTORRENT_AUTH_PROXY_NAME_HEADER=X-Forwarded-Name
# Auto-create user when authenticated externally but missing in DB
PYTORRENT_AUTH_PROXY_AUTO_CREATE=true
# Defaults for auto-created users
PYTORRENT_AUTH_PROXY_AUTO_CREATE_ROLE=admin
PYTORRENT_AUTH_PROXY_AUTO_CREATE_PERMISSION=rw

20
pytorrent/config.py
View File

@@ -29,6 +29,26 @@ DEBUG = _env_bool("PYTORRENT_DEBUG", False)
USE_OFFLINE_LIBS = _env_bool("PYTORRENT_USE_OFFLINE_LIBS", False)
# Note: Optional authentication remains disabled unless explicitly enabled in .env.
AUTH_ENABLE = _env_bool("PYTORRENT_AUTH_ENABLE", False)
AUTH_PROVIDER = os.getenv("PYTORRENT_AUTH_PROVIDER", "local").strip().lower() or "local"
if AUTH_PROVIDER == "tinyauth":
AUTH_PROXY_USER_HEADER = os.getenv("PYTORRENT_AUTH_PROXY_USER_HEADER", "Remote-User")
AUTH_PROXY_EMAIL_HEADER = os.getenv("PYTORRENT_AUTH_PROXY_EMAIL_HEADER", "Remote-Email")
AUTH_PROXY_NAME_HEADER = os.getenv("PYTORRENT_AUTH_PROXY_NAME_HEADER", "Remote-Name")
AUTH_PROXY_SUBJECT_HEADER = os.getenv("PYTORRENT_AUTH_PROXY_SUBJECT_HEADER", "Remote-Sub")
else:
AUTH_PROXY_USER_HEADER = os.getenv("PYTORRENT_AUTH_PROXY_USER_HEADER", "Remote-User")
AUTH_PROXY_EMAIL_HEADER = os.getenv("PYTORRENT_AUTH_PROXY_EMAIL_HEADER", "Remote-Email")
AUTH_PROXY_NAME_HEADER = os.getenv("PYTORRENT_AUTH_PROXY_NAME_HEADER", "Remote-Name")
AUTH_PROXY_SUBJECT_HEADER = os.getenv("PYTORRENT_AUTH_PROXY_SUBJECT_HEADER", "")
AUTH_PROXY_AUTO_CREATE = _env_bool("PYTORRENT_AUTH_PROXY_AUTO_CREATE", False)
AUTH_PROXY_DEFAULT_ROLE = os.getenv("PYTORRENT_AUTH_PROXY_DEFAULT_ROLE", "user").strip().lower()
AUTH_PROXY_DEFAULT_ACCESS = os.getenv("PYTORRENT_AUTH_PROXY_DEFAULT_ACCESS", "ro").strip().lower()
if AUTH_PROVIDER not in {"local", "proxy", "tinyauth"}:
AUTH_PROVIDER = "local"
if AUTH_PROXY_DEFAULT_ROLE not in {"user", "admin"}:
AUTH_PROXY_DEFAULT_ROLE = "user"
if AUTH_PROXY_DEFAULT_ACCESS not in {"none", "ro", "full"}:
AUTH_PROXY_DEFAULT_ACCESS = "ro"
if AUTH_ENABLE and (not _SECRET_KEY_ENV or SECRET_KEY == "dev-change-me"):
# Note: Auth mode cannot use Flask's development secret; persist a local random session key instead.
_secret_file = BASE_DIR / "data" / ".session_secret"

8
pytorrent/db.py
View File

@@ -10,6 +10,10 @@ CREATE TABLE IF NOT EXISTS users (
id INTEGER PRIMARY KEY AUTOINCREMENT,
username TEXT UNIQUE NOT NULL,
password_hash TEXT,
email TEXT,
display_name TEXT,
external_auth_provider TEXT,
external_subject TEXT,
role TEXT DEFAULT 'user',
is_active INTEGER DEFAULT 1,
created_at TEXT NOT NULL,
@@ -501,6 +505,10 @@ CREATE TABLE IF NOT EXISTS tracker_favicon_cache (
MIGRATIONS = [
"ALTER TABLE api_tokens ADD COLUMN last_used_at TEXT",
"ALTER TABLE users ADD COLUMN email TEXT",
"ALTER TABLE users ADD COLUMN display_name TEXT",
"ALTER TABLE users ADD COLUMN external_auth_provider TEXT",
"ALTER TABLE users ADD COLUMN external_subject TEXT",
"ALTER TABLE users ADD COLUMN role TEXT DEFAULT 'user'",
"ALTER TABLE users ADD COLUMN is_active INTEGER DEFAULT 1",
"ALTER TABLE users ADD COLUMN updated_at TEXT",

6
pytorrent/routes/auth_api.py
View File

@@ -2,7 +2,7 @@ from __future__ import annotations
from flask import abort, jsonify, request
from ..services.auth import current_user, list_users, save_user, delete_user, login_user, logout_user, enabled as auth_enabled, list_api_tokens, create_api_token, revoke_api_token
from ..services.auth import current_user, list_users, save_user, delete_user, login_user, logout_user, enabled as auth_enabled, provider as auth_provider, list_api_tokens, create_api_token, revoke_api_token
def _ok(payload=None):
@@ -21,13 +21,13 @@ def register_auth_routes(bp):
user = login_user(str(data.get("username") or ""), str(data.get("password") or ""))
if not user:
return jsonify({"ok": False, "error": "Invalid username or password"}), 401
return _ok({"user": user, "auth_enabled": auth_enabled()})
return _ok({"user": user, "auth_enabled": auth_enabled(), "auth_provider": auth_provider()})
@bp.get("/auth/me")
def auth_me():
if not auth_enabled():
abort(404)
return _ok({"user": current_user(), "auth_enabled": auth_enabled()})
return _ok({"user": current_user(), "auth_enabled": auth_enabled(), "auth_provider": auth_provider()})
@bp.post("/auth/logout")
def auth_logout():

14
pytorrent/routes/main.py
View File

@@ -174,13 +174,23 @@ def login():
# Note: When optional authentication is disabled, /login is intentionally unavailable.
if not auth.enabled():
abort(404)
next_url = request.args.get("next") or url_for("main.index")
if auth.uses_external_provider():
user = auth.authenticate_external_user()
if user:
return redirect(next_url)
return render_template(
"login.html",
error="External authentication headers were not accepted by pyTorrent.",
external_provider=auth.provider(),
), 401
error = ""
if request.method == "POST":
user = auth.login_user(request.form.get("username", ""), request.form.get("password", ""))
if user:
return redirect(request.args.get("next") or url_for("main.index"))
return redirect(next_url)
error = "Invalid username or password"
return render_template("login.html", error=error)
return render_template("login.html", error=error, external_provider=None)
@bp.get("/logout")

148
pytorrent/services/auth.py
View File

@@ -9,7 +9,17 @@ from urllib.parse import urlparse
from flask import abort, g, jsonify, redirect, request, session, url_for
from werkzeug.security import check_password_hash, generate_password_hash
from ..config import AUTH_ENABLE
from ..config import (
AUTH_ENABLE,
AUTH_PROVIDER,
AUTH_PROXY_AUTO_CREATE,
AUTH_PROXY_DEFAULT_ACCESS,
AUTH_PROXY_DEFAULT_ROLE,
AUTH_PROXY_EMAIL_HEADER,
AUTH_PROXY_NAME_HEADER,
AUTH_PROXY_SUBJECT_HEADER,
AUTH_PROXY_USER_HEADER,
)
from ..db import connect, default_user_id, utcnow
PUBLIC_ENDPOINTS = {"main.login", "main.logout", "api.auth_login", "api.auth_me", "static"}
@@ -47,6 +57,14 @@ def enabled() -> bool:
return bool(AUTH_ENABLE)
def provider() -> str:
return AUTH_PROVIDER if AUTH_PROVIDER in {"local", "proxy", "tinyauth"} else "local"
def uses_external_provider() -> bool:
return enabled() and provider() in {"proxy", "tinyauth"}
def password_hash(password: str) -> str:
return generate_password_hash(password or "")
@@ -57,6 +75,9 @@ def current_user_id() -> int:
api_user_id = getattr(g, "api_user_id", None)
if api_user_id:
return int(api_user_id)
external_user_id = getattr(g, "external_user_id", None)
if external_user_id:
return int(external_user_id)
try:
return int(session.get("user_id") or 0)
except Exception:
@@ -69,7 +90,7 @@ def current_user() -> dict[str, Any] | None:
return None
with connect() as conn:
return conn.execute(
"SELECT id, username, role, is_active, created_at, updated_at FROM users WHERE id=?",
"SELECT id, username, email, display_name, external_auth_provider, external_subject, role, is_active, created_at, updated_at FROM users WHERE id=?",
(uid,),
).fetchone()
@@ -200,6 +221,8 @@ def require_profile_write(profile_id: int | None) -> None:
def login_user(username: str, password: str) -> dict[str, Any] | None:
if not enabled():
return {"id": default_user_id(), "username": "default", "role": "admin", "is_active": 1}
if uses_external_provider():
return None
with connect() as conn:
user = conn.execute("SELECT * FROM users WHERE username=?", (username.strip(),)).fetchone()
if not user or not int(user.get("is_active") or 0):
@@ -213,6 +236,109 @@ def login_user(username: str, password: str) -> dict[str, Any] | None:
return current_user()
def _clean_header_value(name: str) -> str:
if not name:
return ""
value = request.headers.get(name) or request.headers.get(name.lower()) or request.headers.get(name.upper()) or ""
return str(value).strip()
def _safe_username(value: str, fallback: str = "external-user") -> str:
raw = str(value or "").strip()
if "@" in raw:
raw = raw.split("@", 1)[0]
clean = "".join(ch for ch in raw if ch.isalnum() or ch in {".", "_", "-"}).strip("._-")
return (clean or fallback)[:80]
def _external_identity_from_headers() -> dict[str, str] | None:
username = _clean_header_value(AUTH_PROXY_USER_HEADER)
email = _clean_header_value(AUTH_PROXY_EMAIL_HEADER)
display_name = _clean_header_value(AUTH_PROXY_NAME_HEADER)
subject = _clean_header_value(AUTH_PROXY_SUBJECT_HEADER) if AUTH_PROXY_SUBJECT_HEADER else ""
if not username and email:
username = email.split("@", 1)[0]
if not username:
return None
return {
"provider": provider(),
"username": _safe_username(username),
"email": email[:254],
"display_name": display_name[:160],
"subject": (subject or username or email)[:254],
}
def _grant_default_external_permissions(conn, user_id: int, now: str) -> None:
if AUTH_PROXY_DEFAULT_ACCESS == "none" or AUTH_PROXY_DEFAULT_ROLE == "admin":
return
conn.execute(
"INSERT OR IGNORE INTO user_profile_permissions(user_id,profile_id,access_level,created_at,updated_at) VALUES(?,?,?,?,?)",
(user_id, 0, AUTH_PROXY_DEFAULT_ACCESS, now, now),
)
def authenticate_external_user() -> dict[str, Any] | None:
if not uses_external_provider():
return None
identity = _external_identity_from_headers()
if not identity:
return None
now = utcnow()
with connect() as conn:
user = None
if identity["subject"]:
user = conn.execute(
"SELECT * FROM users WHERE external_auth_provider=? AND external_subject=?",
(identity["provider"], identity["subject"]),
).fetchone()
if not user:
user = conn.execute("SELECT * FROM users WHERE username=?", (identity["username"],)).fetchone()
if not user and identity["email"]:
user = conn.execute("SELECT * FROM users WHERE lower(email)=lower(?)", (identity["email"],)).fetchone()
if not user:
if not AUTH_PROXY_AUTO_CREATE:
return None
cur = conn.execute(
"""INSERT INTO users(username,password_hash,email,display_name,external_auth_provider,external_subject,role,is_active,created_at,updated_at)
VALUES(?,?,?,?,?,?,?,?,?,?)""",
(
identity["username"],
None,
identity["email"] or None,
identity["display_name"] or None,
identity["provider"],
identity["subject"] or identity["username"],
AUTH_PROXY_DEFAULT_ROLE,
1,
now,
now,
),
)
user_id = int(cur.lastrowid)
_grant_default_external_permissions(conn, user_id, now)
user = conn.execute("SELECT * FROM users WHERE id=?", (user_id,)).fetchone()
else:
user_id = int(user["id"])
conn.execute(
"""UPDATE users
SET email=COALESCE(NULLIF(?, ''), email),
display_name=COALESCE(NULLIF(?, ''), display_name),
external_auth_provider=?,
external_subject=COALESCE(NULLIF(?, ''), external_subject),
updated_at=?
WHERE id=?""",
(identity["email"], identity["display_name"], identity["provider"], identity["subject"], now, user_id),
)
user = conn.execute("SELECT * FROM users WHERE id=?", (user_id,)).fetchone()
if not user or not int(user.get("is_active") or 0):
return None
g.external_user_id = int(user["id"])
return _public_user(user)
def logout_user() -> None:
session.clear()
@@ -236,7 +362,7 @@ def list_users() -> list[dict[str, Any]]:
require_admin()
with connect() as conn:
users = conn.execute(
"SELECT id, username, role, is_active, created_at, updated_at FROM users ORDER BY username COLLATE NOCASE"
"SELECT id, username, email, display_name, external_auth_provider, external_subject, role, is_active, created_at, updated_at FROM users ORDER BY username COLLATE NOCASE"
).fetchall()
perms = conn.execute(
"SELECT user_id, profile_id, access_level FROM user_profile_permissions ORDER BY user_id, profile_id"
@@ -271,13 +397,13 @@ def save_user(data: dict[str, Any], user_id: int | None = None) -> dict[str, Any
if not row:
raise ValueError("User does not exist")
conn.execute(
"UPDATE users SET username=?, role=?, is_active=?, updated_at=? WHERE id=?",
(username, role, is_active, now, user_id),
"UPDATE users SET username=?, email=?, display_name=?, role=?, is_active=?, updated_at=? WHERE id=?",
(username, str(data.get("email") or "").strip() or None, str(data.get("display_name") or "").strip() or None, role, is_active, now, user_id),
)
else:
cur = conn.execute(
"INSERT INTO users(username,password_hash,role,is_active,created_at,updated_at) VALUES(?,?,?,?,?,?)",
(username, password_hash(str(data.get("password") or username)), role, is_active, now, now),
"INSERT INTO users(username,password_hash,email,display_name,role,is_active,created_at,updated_at) VALUES(?,?,?,?,?,?,?,?)",
(username, password_hash(str(data.get("password") or username)), str(data.get("email") or "").strip() or None, str(data.get("display_name") or "").strip() or None, role, is_active, now, now),
)
user_id = int(cur.lastrowid)
if data.get("password"):
@@ -293,7 +419,7 @@ def save_user(data: dict[str, Any], user_id: int | None = None) -> dict[str, Any
)
else:
conn.execute("DELETE FROM user_profile_permissions WHERE user_id=?", (user_id,))
return conn.execute("SELECT id, username, role, is_active, created_at, updated_at FROM users WHERE id=?", (user_id,)).fetchone()
return conn.execute("SELECT id, username, email, display_name, external_auth_provider, external_subject, role, is_active, created_at, updated_at FROM users WHERE id=?", (user_id,)).fetchone()
def delete_user(user_id: int) -> None:
@@ -323,6 +449,10 @@ def _public_user(row: dict[str, Any] | None) -> dict[str, Any] | None:
return {
"id": int(row["id"]),
"username": row.get("username"),
"email": row.get("email"),
"display_name": row.get("display_name"),
"external_auth_provider": row.get("external_auth_provider"),
"external_subject": row.get("external_subject"),
"role": row.get("role") or "user",
"is_active": int(row.get("is_active") or 0),
"created_at": row.get("created_at"),
@@ -445,6 +575,8 @@ def install_guards(app) -> None:
if token_user:
g.api_user_id = int(token_user["id"])
g.api_token_authenticated = True
if not getattr(g, "api_user_id", None):
authenticate_external_user()
endpoint = request.endpoint or ""
if endpoint in PUBLIC_ENDPOINTS or endpoint.startswith("static"):
return None

11
pytorrent/static/styles.css
View File

@@ -2379,6 +2379,17 @@ body.mobile-mode .mobile-filter-bar {
text-align: left;
}
.auth-provider-note {
margin-top: 1rem;
padding: 0.75rem;
border: 1px solid var(--bs-border-color);
border-radius: 0.75rem;
background: rgba(var(--bs-tertiary-bg-rgb), 0.5);
color: var(--bs-secondary-color);
font-size: 0.82rem;
text-align: left;
}
.auth-form {
margin-top: 1.2rem;
text-align: left;

8
pytorrent/templates/login.html
View File

@@ -16,6 +16,13 @@
<div class="initial-loader-brand"><i class="fa-solid fa-robot"></i> pyTorrent</div>
<div class="auth-lock" aria-hidden="true"><i class="fa-solid fa-lock"></i></div>
<h1 class="initial-loader-title">Sign in</h1>
{% if external_provider %}
<p class="initial-loader-text">External authentication is enabled through {{ external_provider }}.</p>
{% if error %}<div class="alert alert-warning auth-alert">{{ error }}</div>{% endif %}
<div class="auth-provider-note">
pyTorrent expects trusted reverse-proxy identity headers. If you are already signed in, check provider headers and user mapping.
</div>
{% else %}
<p class="initial-loader-text">Authentication is enabled for this pyTorrent instance.</p>
{% if error %}<div class="alert alert-danger auth-alert">{{ error }}</div>{% endif %}
<form class="auth-form" method="post">
@@ -25,6 +32,7 @@
<input id="password" class="form-control" name="password" type="password" autocomplete="current-password">
<button class="btn btn-primary w-100" type="submit"><i class="fa-solid fa-right-to-bracket"></i> Log in</button>
</form>
{% endif %}
</main>
</body>
</html>