autogen/python/packages/autogen-studio/autogenstudio/web/auth/authroutes.py

import html
from typing import Optional

from fastapi import APIRouter, Cookie, Depends, HTTPException, Request, Response
from fastapi.responses import JSONResponse
from loguru import logger

from .exceptions import ProviderAuthException
from .manager import AuthManager
from .models import User

router = APIRouter()


def get_auth_manager(request: Request) -> AuthManager:
    """Get the auth manager from app state."""
    if not hasattr(request.app.state, "auth_manager"):
        raise HTTPException(status_code=500, detail="Authentication system not initialized")
    return request.app.state.auth_manager


def get_current_user(request: Request) -> User:
    """Get the current authenticated user."""
    if hasattr(request.state, "user"):
        return request.state.user

    # This shouldn't normally happen as middleware should set user
    logger.warning("User not found in request state")
    return User(id="anonymous", name="Anonymous User")


@router.get("/login-url")
async def get_login_url(auth_manager: AuthManager = Depends(get_auth_manager)):
    """Get the URL for the frontend to redirect to for login."""
    try:
        login_url = await auth_manager.provider.get_login_url()
        return {"login_url": login_url}
    except Exception as e:
        logger.error(f"Error getting login URL: {str(e)}")
        raise HTTPException(status_code=500, detail=f"Failed to generate login URL: {str(e)}") from e


@router.get("/callback")
async def oauth_callback(
    request: Request,
    code: Optional[str] = None,
    state: Optional[str] = None,
    error: Optional[str] = None,
    auth_manager: AuthManager = Depends(get_auth_manager),
):
    """
    OAuth callback handler - used by OAuth providers to redirect after auth. This endpoint renders an HTML page that communicates with the parent window
    to pass the token back to the main application.
    """
    if error:
        logger.error(f"OAuth callback error: {error}")
        # Return HTML that sends error to parent window
        escaped_error = html.escape(error)
        html_content = f"""
        <!DOCTYPE html>
        <html>
        <head>
            <title>Authentication Result</title>
            <script>
                window.onload = function() {{
                    if (window.opener) {{
                        // Send error to parent window
                        window.opener.postMessage({{
                            type: 'auth-error',
                            error: '{escaped_error}'
                        }}, '*');
                        // Close this window
                        window.close();
                    }} else {{
                        // Redirect to main app with error
                        window.location.href = '/?auth_error={escaped_error}';
                    }}
                }};
            </script>
        </head>
        <body>
            <p>Authentication failed. This window should close automatically.</p>
        </html>
        """
        return Response(content=html_content, media_type="text/html")

    # Add guard for code parameter
    if not code:
        logger.error("OAuth callback missing required 'code' parameter")
        raise HTTPException(status_code=400, detail="Missing required 'code' parameter")

    try:
        # Process the authentication callback
        user = await auth_manager.provider.process_callback(code, state)

        # Create JWT token
        token = auth_manager.create_token(user)

        # Return HTML that sends token to parent window
        html_content = f"""
        <!DOCTYPE html>
        <html>
        <head>
            <title>Authentication Complete</title>
            <script>
                window.onload = function() {{
                    const authResult = {{
                        type: 'auth-success',
                        token: '{token}',
                        user: {{
                            id: '{user.id}',
                            name: '{user.name}',
                            email: '{user.email or ""}',
                            provider: '{user.provider}'
                        }}
                    }};
                    if (window.opener) {{
                        // Send token to parent window
                        window.opener.postMessage(authResult, '*');
                        // Close this window
                        window.close();
                    }} else {{
                        // Redirect to main app with token
                        localStorage.setItem('auth_token', '{token}');
                        window.location.href = '/';
                    }}
                }};
            </script>
        </head>
        <body>
            <p>Authentication successful. This window should close automatically.</p>
        </body>
        </html>
        """
        return Response(content=html_content, media_type="text/html")

    except ProviderAuthException as e:
        logger.error(f"OAuth callback provider error: {str(e)}")
        raise HTTPException(status_code=401, detail=str(e)) from e
    except Exception as e:
        logger.error(f"Unexpected OAuth callback error: {str(e)}")
        raise HTTPException(status_code=500, detail=f"Authentication failed: {str(e)}") from e


@router.post("/callback-handler")
async def handle_callback(request: Request, auth_manager: AuthManager = Depends(get_auth_manager)):
    """
    Handle authentication code/token from frontend.This endpoint is used when the frontend handles the OAuth flow and
    needs to exchange the code for a token.
    """
    try:
        data = await request.json()
        code = data.get("code")
        state = data.get("state")

        if not code:
            raise HTTPException(status_code=400, detail="Authorization code is required")

        # Process the authentication code
        user = await auth_manager.provider.process_callback(code, state)

        # Create JWT token
        token = auth_manager.create_token(user)

        # Return token and user info
        return {
            "token": token,
            "user": {"id": user.id, "name": user.name, "email": user.email, "provider": user.provider},
        }

    except ProviderAuthException as e:
        logger.error(f"Callback handler provider error: {str(e)}")
        raise HTTPException(status_code=401, detail=str(e)) from e
    except Exception as e:
        logger.error(f"Unexpected callback handler error: {str(e)}")
        raise HTTPException(status_code=500, detail=f"Authentication failed: {str(e)}") from e


@router.get("/me")
async def get_user_info(current_user: User = Depends(get_current_user)):
    """Get information about the currently authenticated user."""
    return {
        "id": current_user.id,
        "name": current_user.name,
        "email": current_user.email,
        "provider": current_user.provider,
        "roles": current_user.roles,
    }


@router.get("/type")
async def get_auth_type(auth_manager: AuthManager = Depends(get_auth_manager)):
    """Get the configured authentication type."""
    return {"type": auth_manager.config.type, "exclude_paths": auth_manager.config.exclude_paths}
Enable Auth in AGS (#5928) <!-- Thank you for your contribution! Please review https://microsoft.github.io/autogen/docs/Contribute before opening a pull request. --> <!-- Please add a reviewer to the assignee section when you create a PR. If you don't have the access to it, we will shortly find a reviewer and assign them to your PR. --> ## Why are these changes needed? https://github.com/user-attachments/assets/b649053b-c377-40c7-aa51-ee64af766fc2 <img width="100%" alt="image" src="https://github.com/user-attachments/assets/03ba1df5-c9a2-4734-b6a2-0eb97ec0b0e0" /> ## Authentication This PR implements an experimental authentication feature to enable personalized experiences (multiple users). Currently, only GitHub authentication is supported. You can extend the base authentication class to add support for other authentication methods. By default authenticatio is disabled and only enabled when you pass in the `--auth-config` argument when running the application. ### Enable GitHub Authentication To enable GitHub authentication, create a `auth.yaml` file in your app directory: ```yaml type: github jwt_secret: "your-secret-key" token_expiry_minutes: 60 github: client_id: "your-github-client-id" client_secret: "your-github-client-secret" callback_url: "http://localhost:8081/api/auth/callback" scopes: ["user:email"] ``` Please see the documentation on [GitHub OAuth](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app) for more details on obtaining the `client_id` and `client_secret`. To pass in this configuration you can use the `--auth-config` argument when running the application: ```bash autogenstudio ui --auth-config /path/to/auth.yaml ``` Or set the environment variable: ```bash export AUTOGENSTUDIO_AUTH_CONFIG="/path/to/auth.yaml" ``` ```{note} - Authentication is currently experimental and may change in future releases - User data is stored in your configured database - When enabled, all API endpoints require authentication except for the authentication endpoints - WebSocket connections require the token to be passed as a query parameter (`?token=your-jwt-token`) ``` ## Related issue number <!-- For example: "Closes #1234" --> Closes #4350 ## Checks - [ ] I've included any doc changes needed for <https://microsoft.github.io/autogen/>. See <https://github.com/microsoft/autogen/blob/main/CONTRIBUTING.md> to build and test documentation locally. - [ ] I've added tests (if relevant) corresponding to the changes introduced in this PR. - [ ] I've made sure all auto checks have passed. --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> 2025-03-14 15:02:05 -07:00			`import html`
			`from typing import Optional`

			`from fastapi import APIRouter, Cookie, Depends, HTTPException, Request, Response`
			`from fastapi.responses import JSONResponse`
			`from loguru import logger`

			`from .exceptions import ProviderAuthException`
			`from .manager import AuthManager`
			`from .models import User`

			`router = APIRouter()`


			`def get_auth_manager(request: Request) -> AuthManager:`
			`"""Get the auth manager from app state."""`
			`if not hasattr(request.app.state, "auth_manager"):`
			`raise HTTPException(status_code=500, detail="Authentication system not initialized")`
			`return request.app.state.auth_manager`


			`def get_current_user(request: Request) -> User:`
			`"""Get the current authenticated user."""`
			`if hasattr(request.state, "user"):`
			`return request.state.user`

			`# This shouldn't normally happen as middleware should set user`
			`logger.warning("User not found in request state")`
			`return User(id="anonymous", name="Anonymous User")`


			`@router.get("/login-url")`
			`async def get_login_url(auth_manager: AuthManager = Depends(get_auth_manager)):`
			`"""Get the URL for the frontend to redirect to for login."""`
			`try:`
			`login_url = await auth_manager.provider.get_login_url()`
			`return {"login_url": login_url}`
			`except Exception as e:`
			`logger.error(f"Error getting login URL: {str(e)}")`
			`raise HTTPException(status_code=500, detail=f"Failed to generate login URL: {str(e)}") from e`


			`@router.get("/callback")`
			`async def oauth_callback(`
			`request: Request,`
			`code: Optional[str] = None,`
			`state: Optional[str] = None,`
			`error: Optional[str] = None,`
			`auth_manager: AuthManager = Depends(get_auth_manager),`
			`):`
			`"""`
			`OAuth callback handler - used by OAuth providers to redirect after auth. This endpoint renders an HTML page that communicates with the parent window`
			`to pass the token back to the main application.`
			`"""`
			`if error:`
			`logger.error(f"OAuth callback error: {error}")`
			`# Return HTML that sends error to parent window`
			`escaped_error = html.escape(error)`
			`html_content = f"""`
			`<!DOCTYPE html>`
			`<html>`
			`<head>`
			`<title>Authentication Result</title>`
			`<script>`
			`window.onload = function() {{`
			`if (window.opener) {{`
			`// Send error to parent window`
			`window.opener.postMessage({{`
			`type: 'auth-error',`
			`error: '{escaped_error}'`
			`}}, '*');`
			`// Close this window`
			`window.close();`
			`}} else {{`
			`// Redirect to main app with error`
			`window.location.href = '/?auth_error={escaped_error}';`
			`}}`
			`}};`
			`</script>`
			`</head>`
			`<body>`
			`<p>Authentication failed. This window should close automatically.</p>`
			`</html>`
			`"""`
			`return Response(content=html_content, media_type="text/html")`

			`# Add guard for code parameter`
			`if not code:`
			`logger.error("OAuth callback missing required 'code' parameter")`
			`raise HTTPException(status_code=400, detail="Missing required 'code' parameter")`

			`try:`
			`# Process the authentication callback`
			`user = await auth_manager.provider.process_callback(code, state)`

			`# Create JWT token`
			`token = auth_manager.create_token(user)`

			`# Return HTML that sends token to parent window`
			`html_content = f"""`
			`<!DOCTYPE html>`
			`<html>`
			`<head>`
			`<title>Authentication Complete</title>`
			`<script>`
			`window.onload = function() {{`
			`const authResult = {{`
			`type: 'auth-success',`
			`token: '{token}',`
			`user: {{`
			`id: '{user.id}',`
			`name: '{user.name}',`
			`email: '{user.email or ""}',`
			`provider: '{user.provider}'`
			`}}`
			`}};`
			`if (window.opener) {{`
			`// Send token to parent window`
			`window.opener.postMessage(authResult, '*');`
			`// Close this window`
			`window.close();`
			`}} else {{`
			`// Redirect to main app with token`
			`localStorage.setItem('auth_token', '{token}');`
			`window.location.href = '/';`
			`}}`
			`}};`
			`</script>`
			`</head>`
			`<body>`
			`<p>Authentication successful. This window should close automatically.</p>`
			`</body>`
			`</html>`
			`"""`
			`return Response(content=html_content, media_type="text/html")`

			`except ProviderAuthException as e:`
			`logger.error(f"OAuth callback provider error: {str(e)}")`
			`raise HTTPException(status_code=401, detail=str(e)) from e`
			`except Exception as e:`
			`logger.error(f"Unexpected OAuth callback error: {str(e)}")`
			`raise HTTPException(status_code=500, detail=f"Authentication failed: {str(e)}") from e`


			`@router.post("/callback-handler")`
			`async def handle_callback(request: Request, auth_manager: AuthManager = Depends(get_auth_manager)):`
			`"""`
			`Handle authentication code/token from frontend.This endpoint is used when the frontend handles the OAuth flow and`
			`needs to exchange the code for a token.`
			`"""`
			`try:`
			`data = await request.json()`
			`code = data.get("code")`
			`state = data.get("state")`

			`if not code:`
			`raise HTTPException(status_code=400, detail="Authorization code is required")`

			`# Process the authentication code`
			`user = await auth_manager.provider.process_callback(code, state)`

			`# Create JWT token`
			`token = auth_manager.create_token(user)`

			`# Return token and user info`
			`return {`
			`"token": token,`
			`"user": {"id": user.id, "name": user.name, "email": user.email, "provider": user.provider},`
			`}`

			`except ProviderAuthException as e:`
			`logger.error(f"Callback handler provider error: {str(e)}")`
			`raise HTTPException(status_code=401, detail=str(e)) from e`
			`except Exception as e:`
			`logger.error(f"Unexpected callback handler error: {str(e)}")`
			`raise HTTPException(status_code=500, detail=f"Authentication failed: {str(e)}") from e`


			`@router.get("/me")`
			`async def get_user_info(current_user: User = Depends(get_current_user)):`
			`"""Get information about the currently authenticated user."""`
			`return {`
			`"id": current_user.id,`
			`"name": current_user.name,`
			`"email": current_user.email,`
			`"provider": current_user.provider,`
			`"roles": current_user.roles,`
			`}`


			`@router.get("/type")`
			`async def get_auth_type(auth_manager: AuthManager = Depends(get_auth_manager)):`
			`"""Get the configured authentication type."""`
			`return {"type": auth_manager.config.type, "exclude_paths": auth_manager.config.exclude_paths}`