auth-gate.py

#!/usr/bin/env python3
"""Tiny auth gate for nginx auth_request. Sets a cookie after successful basic auth."""
import hashlib, hmac, http.server, time, base64, os, sys

SECRET = os.environ.get("AUTH_GATE_SECRET", "")
USER = os.environ.get("AUTH_GATE_USER", "")
PASS = os.environ.get("AUTH_GATE_PASS", "")
COOKIE_NAME = "sovereign_gate"
COOKIE_MAX_AGE = 86400 * 7  # 7 days

def make_token(ts):
    msg = f"{USER}:{ts}".encode()
    return hmac.new(SECRET.encode(), msg, hashlib.sha256).hexdigest()[:32]

def verify_token(token):
    try:
        # Token format: timestamp.signature
        parts = token.split(".")
        if len(parts) != 2:
            return False
        ts, sig = int(parts[0]), parts[1]
        if time.time() - ts > COOKIE_MAX_AGE:
            return False
        return sig == make_token(ts)
    except:
        return False

class Handler(http.server.BaseHTTPRequestHandler):
    def log_message(self, *a): pass

    def do_GET(self):
        # Check cookie first
        cookies = self.headers.get("Cookie", "")
        for c in cookies.split(";"):
            c = c.strip()
            if c.startswith(f"{COOKIE_NAME}="):
                token = c[len(COOKIE_NAME)+1:]
                if verify_token(token):
                    self.send_response(200)
                    self.end_headers()
                    return

        # Check basic auth header (forwarded by nginx)
        auth = self.headers.get("Authorization", "")
        if auth.startswith("Basic "):
            try:
                decoded = base64.b64decode(auth[6:]).decode()
                u, p = decoded.split(":", 1)
                if u == USER and p == PASS:
                    ts = int(time.time())
                    token = f"{ts}.{make_token(ts)}"
                    self.send_response(200)
                    self.send_header("Set-Cookie",
                        f"{COOKIE_NAME}={token}; Path=/; Max-Age={COOKIE_MAX_AGE}; HttpOnly; SameSite=Lax")
                    self.end_headers()
                    return
            except:
                pass

        # Deny
        self.send_response(401)
        self.send_header("WWW-Authenticate", 'Basic realm="Sovereign Stack"')
        self.end_headers()

if __name__ == "__main__":
    if not all([SECRET, USER, PASS]):
        sys.exit("ERROR: AUTH_GATE_SECRET, AUTH_GATE_USER, and AUTH_GATE_PASS must be set")
    s = http.server.HTTPServer(("127.0.0.1", 9876), Handler)
    print("Auth gate listening on 127.0.0.1:9876")
    s.serve_forever()
Add standalone auth-gate.py and nginx config for reference 2026-03-05 23:49:56 -05:00			`#!/usr/bin/env python3`
			`"""Tiny auth gate for nginx auth_request. Sets a cookie after successful basic auth."""`
ruff (#169) * polish: streamline nav, extract inline styles, improve tablet UX - Restructure desktop nav from 8+ flat links + overflow dropdown into 5 grouped dropdowns (Core, Agents, Intel, System, More) matching the mobile menu structure to reduce decision fatigue - Extract all inline styles from mission_control.html and base.html notification elements into mission-control.css with semantic classes - Replace JS-built innerHTML with secure DOM construction in notification loader and chat history - Add CONNECTING state to connection indicator (amber) instead of showing OFFLINE before WebSocket connects - Add tablet breakpoint (1024px) with larger touch targets for Apple Pencil / stylus use and safe-area padding for iPad toolbar - Add active-link highlighting in desktop dropdown menus - Rename "Mission Control" page title to "System Overview" to disambiguate from the chat home page - Add "Home — Timmy Time" page title to index.html https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h * fix(security): move auth-gate credentials to environment variables Hardcoded username, password, and HMAC secret in auth-gate.py replaced with os.environ lookups. Startup now refuses to run if any variable is unset. Added AUTH_GATE_SECRET/USER/PASS to .env.example. https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h * refactor(tooling): migrate from black+isort+bandit to ruff Replace three separate linting/formatting tools with a single ruff invocation. Updates tox.ini (lint, format, pre-push, pre-commit envs), .pre-commit-config.yaml, and CI workflow. Fixes all ruff errors including unused imports, missing raise-from, and undefined names. Ruff config maps existing bandit skips to equivalent S-rules. https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h --------- Co-authored-by: Claude <noreply@anthropic.com> 2026-03-11 12:23:35 -04:00			`import hashlib, hmac, http.server, time, base64, os, sys`
Add standalone auth-gate.py and nginx config for reference 2026-03-05 23:49:56 -05:00
ruff (#169) * polish: streamline nav, extract inline styles, improve tablet UX - Restructure desktop nav from 8+ flat links + overflow dropdown into 5 grouped dropdowns (Core, Agents, Intel, System, More) matching the mobile menu structure to reduce decision fatigue - Extract all inline styles from mission_control.html and base.html notification elements into mission-control.css with semantic classes - Replace JS-built innerHTML with secure DOM construction in notification loader and chat history - Add CONNECTING state to connection indicator (amber) instead of showing OFFLINE before WebSocket connects - Add tablet breakpoint (1024px) with larger touch targets for Apple Pencil / stylus use and safe-area padding for iPad toolbar - Add active-link highlighting in desktop dropdown menus - Rename "Mission Control" page title to "System Overview" to disambiguate from the chat home page - Add "Home — Timmy Time" page title to index.html https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h * fix(security): move auth-gate credentials to environment variables Hardcoded username, password, and HMAC secret in auth-gate.py replaced with os.environ lookups. Startup now refuses to run if any variable is unset. Added AUTH_GATE_SECRET/USER/PASS to .env.example. https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h * refactor(tooling): migrate from black+isort+bandit to ruff Replace three separate linting/formatting tools with a single ruff invocation. Updates tox.ini (lint, format, pre-push, pre-commit envs), .pre-commit-config.yaml, and CI workflow. Fixes all ruff errors including unused imports, missing raise-from, and undefined names. Ruff config maps existing bandit skips to equivalent S-rules. https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h --------- Co-authored-by: Claude <noreply@anthropic.com> 2026-03-11 12:23:35 -04:00			`SECRET = os.environ.get("AUTH_GATE_SECRET", "")`
			`USER = os.environ.get("AUTH_GATE_USER", "")`
			`PASS = os.environ.get("AUTH_GATE_PASS", "")`
Add standalone auth-gate.py and nginx config for reference 2026-03-05 23:49:56 -05:00			`COOKIE_NAME = "sovereign_gate"`
			`COOKIE_MAX_AGE = 86400 * 7 # 7 days`

			`def make_token(ts):`
			`msg = f"{USER}:{ts}".encode()`
			`return hmac.new(SECRET.encode(), msg, hashlib.sha256).hexdigest()[:32]`

			`def verify_token(token):`
			`try:`
			`# Token format: timestamp.signature`
			`parts = token.split(".")`
			`if len(parts) != 2:`
			`return False`
			`ts, sig = int(parts[0]), parts[1]`
			`if time.time() - ts > COOKIE_MAX_AGE:`
			`return False`
			`return sig == make_token(ts)`
			`except:`
			`return False`

			`class Handler(http.server.BaseHTTPRequestHandler):`
			`def log_message(self, *a): pass`

			`def do_GET(self):`
			`# Check cookie first`
			`cookies = self.headers.get("Cookie", "")`
			`for c in cookies.split(";"):`
			`c = c.strip()`
			`if c.startswith(f"{COOKIE_NAME}="):`
			`token = c[len(COOKIE_NAME)+1:]`
			`if verify_token(token):`
			`self.send_response(200)`
			`self.end_headers()`
			`return`

			`# Check basic auth header (forwarded by nginx)`
			`auth = self.headers.get("Authorization", "")`
			`if auth.startswith("Basic "):`
			`try:`
			`decoded = base64.b64decode(auth[6:]).decode()`
			`u, p = decoded.split(":", 1)`
			`if u == USER and p == PASS:`
			`ts = int(time.time())`
			`token = f"{ts}.{make_token(ts)}"`
			`self.send_response(200)`
			`self.send_header("Set-Cookie",`
			`f"{COOKIE_NAME}={token}; Path=/; Max-Age={COOKIE_MAX_AGE}; HttpOnly; SameSite=Lax")`
			`self.end_headers()`
			`return`
			`except:`
			`pass`

			`# Deny`
			`self.send_response(401)`
			`self.send_header("WWW-Authenticate", 'Basic realm="Sovereign Stack"')`
			`self.end_headers()`

			`if __name__ == "__main__":`
ruff (#169) * polish: streamline nav, extract inline styles, improve tablet UX - Restructure desktop nav from 8+ flat links + overflow dropdown into 5 grouped dropdowns (Core, Agents, Intel, System, More) matching the mobile menu structure to reduce decision fatigue - Extract all inline styles from mission_control.html and base.html notification elements into mission-control.css with semantic classes - Replace JS-built innerHTML with secure DOM construction in notification loader and chat history - Add CONNECTING state to connection indicator (amber) instead of showing OFFLINE before WebSocket connects - Add tablet breakpoint (1024px) with larger touch targets for Apple Pencil / stylus use and safe-area padding for iPad toolbar - Add active-link highlighting in desktop dropdown menus - Rename "Mission Control" page title to "System Overview" to disambiguate from the chat home page - Add "Home — Timmy Time" page title to index.html https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h * fix(security): move auth-gate credentials to environment variables Hardcoded username, password, and HMAC secret in auth-gate.py replaced with os.environ lookups. Startup now refuses to run if any variable is unset. Added AUTH_GATE_SECRET/USER/PASS to .env.example. https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h * refactor(tooling): migrate from black+isort+bandit to ruff Replace three separate linting/formatting tools with a single ruff invocation. Updates tox.ini (lint, format, pre-push, pre-commit envs), .pre-commit-config.yaml, and CI workflow. Fixes all ruff errors including unused imports, missing raise-from, and undefined names. Ruff config maps existing bandit skips to equivalent S-rules. https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h --------- Co-authored-by: Claude <noreply@anthropic.com> 2026-03-11 12:23:35 -04:00			`if not all([SECRET, USER, PASS]):`
			`sys.exit("ERROR: AUTH_GATE_SECRET, AUTH_GATE_USER, and AUTH_GATE_PASS must be set")`
Add standalone auth-gate.py and nginx config for reference 2026-03-05 23:49:56 -05:00			`s = http.server.HTTPServer(("127.0.0.1", 9876), Handler)`
			`print("Auth gate listening on 127.0.0.1:9876")`
			`s.serve_forever()`