o i`$@sUdZddlZddlZddlZddlmZddlmZmZm Z ddl m Z ddl m Z e eZdedefd d Zd eeefde efd d ZeGdddZGdddZGdddZdae eed<defddZdddZdS)a API key authentication and caching for Veena3 TTS. Features: - In-memory API key cache with TTL - Fast validation (< 5ms target) - Graceful bypass mode for development - Header extraction (Bearer token or X-API-Key) Usage: from veena3modal.api.auth import get_api_validator, extract_api_key validator = get_api_validator() api_key = extract_api_key(request.headers) result = validator.validate(hash_api_key(api_key)) if not result.is_valid: return 401/403 error with result.error_code N) dataclass)DictAnyOptional)Lock) get_loggerapi_keyreturncCst|dS)z Hash an API key for storage/lookup. Uses SHA-256 for consistent, secure hashing. Args: api_key: The raw API key Returns: Hex-encoded hash of the key zutf-8)hashlibsha256encode hexdigest)rr//home/ubuntu/veenaModal/veena3modal/api/auth.py hash_api_key!s rheaderscCsVdd|D}|dd}|dr|ddS|d}|r)|SdS) a Extract API key from request headers. Checks (in order of precedence): 1. Authorization: Bearer 2. X-API-Key: Args: headers: Request headers (case-insensitive keys) Returns: API key string or None if not found cSsi|] \}}||qSr)lower).0kvrrr ?sz#extract_api_key.. authorizationzbearer Nz x-api-key)itemsgetr startswithstrip)r normalized auth_headerrrrrextract_api_key0s  r c@sbeZdZUdZeed<dZeeed<dZ e ed<dZ e ed<dZ eeed <dZeeed <dS) ValidationResultzResult of API key validation.is_validNuser_id< rate_limitcredits error_code error_message)__name__ __module__ __qualname____doc__bool__annotations__r#rstrr%intr'floatr(r)rrrrr!Ns   r!c@sxeZdZdZddefddZdedeeee ffdd Z ded eee fdd fd d Z dedd fddZ dddZ d S) ApiKeyCachez In-memory cache for API key data. Thread-safe with configurable TTL. Attributes: ttl_seconds: Time-to-live for cache entries (default: 30s)  ttl_secondscCs||_i|_i|_t|_dS)zc Initialize cache. Args: ttl_seconds: Cache entry TTL N)r5_cache _timestampsr_lock)selfr5rrr__init__ds zApiKeyCache.__init__key_hashr cCs|j<||jvr WddS|j|d}t||jkr3|j|=|j|= WddS|j|WdS1sBwYdS)z Get cached key data. Args: key_hash: Hashed API key Returns: Key data dict or None if not found/expired Nr)r8r6r7rtimer5)r9r; cached_atrrrrps  $zApiKeyCache.getdataNcCsD|j||j|<t|j|<WddS1swYdS)z Cache key data. Args: key_hash: Hashed API key data: Key data to cache N)r8r6r<r7)r9r;r>rrrsets "zApiKeyCache.setcCsH|j|j|d|j|dWddS1swYdS)zRemove a key from cache.N)r8r6popr7)r9r;rrr invalidates"zApiKeyCache.invalidatecCs@|j|j|jWddS1swYdS)zClear all cached entries.N)r8r6clearr7)r9rrrrBs  "zApiKeyCache.clear)r4r N)r*r+r,r-r1r:r0rrrrr?rArBrrrrr3Zs   r3c@s>eZdZdZ  d deedefddZded e fd d Z dS) ApiKeyValidatora API key validator with caching. Validates keys against cached data, checking: - Key exists and is active - Sufficient credits available Attributes: cache: ApiKeyCache instance bypass_mode: If True, all keys are considered valid NFcache bypass_modecCs|pt|_||_dS)z Initialize validator. Args: cache: Cache instance (creates new if None) bypass_mode: Skip validation (for development) N)r3rErF)r9rErFrrrr:s zApiKeyValidator.__init__r;r c Csvt}|jrtdddddS|j|}|dur6t|d}tjdd d t|d d d td dddS|dd sat|d}tjdd d|dt|d dd td |ddddS|dd}|dkrt|d}tjdd d|d|t|d dd td |d|dddSt|d}tjdd|d|t|d dd td|d|d d!|dS)"z Validate an API key. Args: key_hash: Hashed API key Returns: ValidationResult with is_valid flag and details T bypass_useri'g~.A)r"r#r%r'Niapi_key_validationF not_found)validreason duration_msextraINVALID_API_KEYzAPI key not found or invalid)r"r(r) is_activeinactiver#)rKrLr#rMzAPI key is inactive)r"r#r(r)r'r&r no_credits)rKrLr#r'rMINSUFFICIENT_CREDITSzInsufficient credits)r"r#r'r(r))rKr#r'rMr%r$)r<rFr!rErloggerinforound)r9r;startkey_datarMr'rrrvalidates         zApiKeyValidator.validate)NF) r*r+r,r-rr3r.r:r0r!rZrrrrrDs rD_api_validatorcCs^tdur-tjdddk}ttjdd}t|d}t||datj d ||d d tS) a Get the singleton API key validator. Configuration via environment variables: - AUTH_BYPASS_MODE: "true" to skip validation (dev only) - AUTH_CACHE_TTL: Cache TTL in seconds (default: 30) Returns: Configured ApiKeyValidator instance NAUTH_BYPASS_MODEfalsetrueAUTH_CACHE_TTL30)r5)rErFapi_validator_initialized)rF cache_ttlrN) r[osenvironrrr1r3rDrUrV)rFrbrErrrget_api_validator)s   recCsdadS)z"Reset the singleton (for testing).N)r[rrrrreset_api_validatorHsrfrC)r-rcr<r dataclassesrtypingrrr threadingrveena3modal.shared.loggingrr*rUr0rr r!r3rDr[r/rerfrrrrs&    G