Interfaces authentication and multi-user

[PACHAKUTlQ]

All the interfaces have been protected by JWT based authentication system, with only logged-in users can access the configs and make modifications to announcements and configs of his own. All the authentications are based on user, and the sign-up and log-in interface have been added, which enables multiple users to share the same backend while still supporting a single user running uvicorn locally.

[PACHAKUTlQ]

• /browser should open the link in frontend instead of backend, since backend can be put on a server instead of running locally
• When signing up, canvas url and access token of canvas should be required and verified, and there should be a captcha there to prevent brute-force registrations
• All interfaces should have anti-csrf protection. Currently CSRF protection relies on CORS settings of cookies, which is not enough.
• All interfaces should limit rates by using IP (DO NOT use XFF header, instead use something that cannot be forged)

[linsyking]

• /browser should open the link in frontend instead of backend, since backend can be put on a server instead of running locally

Generally it should open in the frontend but in wallpaper engine it bans user from opening web browser so maybe we can set this as an option in config file.

[linsyking]

What is this url?

[PACHAKUTlQ]

This was used for setting CORS for all cookies. And CORS shouldn't be changed to wildcard mark "*" because CORS protected against CSRF attacks. This URL was also used for redirecting user. But I just changed the tokens to be stored not in cookie but instead in localStorage, and include it in Authorization header, as OAuth2 recommend, so this url will be removed.

[linsyking]

Hi, may you change the target branch to feat/multi-user? Thanks!

[linsyking]

You need to add new dependencies like passlib to requirements.txt. Test it in a new environment (clone in another folder, create venv).

I have error when starting:

  File "auth.py", line 51, in gen_key
    with open(secret_file, 'w') as f:
         ^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: './canvas/.secret'

[PACHAKUTlQ]

There is an easier workaround for path on Windows by simply format Windows path into Unix path: fullPath = fullPath.replace("\\", "/"), so no need for merge conflicts.

[PACHAKUTlQ]

You need to add new dependencies like passlib to requirements.txt. Test it in a new environment (clone in another folder, create venv).

I have error when starting:

  File "auth.py", line 51, in gen_key
    with open(secret_file, 'w') as f:
         ^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: './canvas/.secret'

If you encounter this, please add a folder called canvas, where there are two empty folders, one called user_configs and the other called user_caches. The .secret file will be automatically written into the canvas directory. This FileNotFoundError seems to be because the canvas folder is ignored by .gitignore (of course files in it MUST be ignored, but the empty folder should be there.). I will fix it.

[linsyking]

Hi, could you push code to a branch in this repo rather than in this PR?

[PACHAKUTlQ]

ok. I forgot to close this PR. I am closing it now. I will open a new branch as soon as I fix the bugs.