Add an instance owner/operator role (env-declared via OWNER_EMAIL)
Provenance had no system-level owner: ownership was only per-tree (TreeMembership), so a self-hosted instance had no operator account and no instance-admin surface. This adds one, declared by environment per the project's twelve-factor rule. - OWNER_EMAIL (comma-separated): the account(s) named here are instance owners. Derived at request time — no DB column, no migration, can't drift from the env, survives DB resets. is_instance_owner()/InstanceOwner dependency in api/deps.py. - Ownership requires a VERIFIED email (independent of REQUIRE_EMAIL_VERIFICATION). Registration is open, so without this an attacker could seize the role by registering the owner address first; verification ties it to inbox control. - GET /api/v1/admin/instance (owner-only): operational status — version, env, user/tree counts, configured AI providers. Deliberately exposes no tree data or PII: instance ownership is an operator role, NOT a privacy-engine bypass. - /users/me reports is_instance_owner; frontend gains an owner-only /admin page and a conditional sidebar link (server-enforced, not just client-hidden). Found-and-fixed by an adversarial security review before merge: the verified-email land-grab (above) and a frontend null-deref where the admin page crashed on 401/5xx instead of failing closed. Docs: .env.example + ARCHITECTURE (notes the not-a-privacy-bypass boundary and the verified-email requirement). Tests: owner matching, the land-grab guard, /users/me, and owner-only /admin. Suite 96 passing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Justin Paul <justin@jpaul.me>
This commit is contained in:
@@ -54,6 +54,36 @@ async def get_current_user_or_none(request: Request, session: SessionDep) -> Use
|
||||
CurrentUserOrNone = Annotated[User | None, Depends(get_current_user_or_none)]
|
||||
|
||||
|
||||
def is_instance_owner(user: User) -> bool:
|
||||
"""Whether this account is an instance owner/operator — i.e. its email is
|
||||
named in OWNER_EMAIL *and* that email has been verified. Instance ownership
|
||||
is an operational/config role; it does NOT bypass the privacy engine or grant
|
||||
access to others' tree data.
|
||||
|
||||
The verified-email requirement is load-bearing: registration is open and (by
|
||||
default) doesn't require verification, so without it an attacker could claim
|
||||
the owner email by registering it before the operator does — a land-grab to
|
||||
the highest role with no proof of inbox control. Requiring verification ties
|
||||
ownership to actual control of the named inbox regardless of the global
|
||||
REQUIRE_EMAIL_VERIFICATION setting. (Self-hosts without SMTP can verify via
|
||||
the link the console mailer prints to the operator-controlled logs.)"""
|
||||
owners = get_settings().owner_emails()
|
||||
return (
|
||||
bool(owners)
|
||||
and user.email_verified_at is not None
|
||||
and user.email.strip().lower() in owners
|
||||
)
|
||||
|
||||
|
||||
async def require_instance_owner(current: CurrentUser) -> User:
|
||||
if not is_instance_owner(current):
|
||||
raise HTTPException(status.HTTP_403_FORBIDDEN, "instance owner only")
|
||||
return current
|
||||
|
||||
|
||||
InstanceOwner = Annotated[User, Depends(require_instance_owner)]
|
||||
|
||||
|
||||
def get_mailer() -> Mailer:
|
||||
settings = get_settings()
|
||||
if settings.mailer == "smtp" and settings.smtp_host:
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
from fastapi import APIRouter
|
||||
|
||||
from app.api.v1 import (
|
||||
admin,
|
||||
ai,
|
||||
auth,
|
||||
citations,
|
||||
@@ -38,3 +39,4 @@ api_router.include_router(public.router)
|
||||
api_router.include_router(members.router)
|
||||
api_router.include_router(proposals.router)
|
||||
api_router.include_router(ai.router)
|
||||
api_router.include_router(admin.router)
|
||||
|
||||
@@ -0,0 +1,38 @@
|
||||
"""Instance-admin surface — owner-only (OWNER_EMAIL). Operational status and
|
||||
instance-wide configuration. Deliberately exposes no tree contents or PII:
|
||||
instance ownership is an operator role, not a privacy bypass."""
|
||||
|
||||
from sqlalchemy import func, select
|
||||
|
||||
from fastapi import APIRouter
|
||||
|
||||
from app.api.deps import InstanceOwner, SessionDep, configured_llm_providers
|
||||
from app.core.config import get_settings
|
||||
from app.models.tree import Tree
|
||||
from app.models.user import User
|
||||
from app.schemas.admin import InstanceStatus
|
||||
from app.schemas.ai_policy import ConfiguredProvider
|
||||
|
||||
router = APIRouter(prefix="/admin", tags=["admin"])
|
||||
|
||||
|
||||
@router.get("/instance", response_model=InstanceStatus)
|
||||
async def instance_status(owner: InstanceOwner, session: SessionDep) -> InstanceStatus:
|
||||
"""Operator dashboard data. Requires the caller to be an instance owner."""
|
||||
s = get_settings()
|
||||
user_count = await session.scalar(
|
||||
select(func.count()).select_from(User).where(User.deleted_at.is_(None))
|
||||
)
|
||||
tree_count = await session.scalar(
|
||||
select(func.count()).select_from(Tree).where(Tree.deleted_at.is_(None))
|
||||
)
|
||||
return InstanceStatus(
|
||||
version=s.version,
|
||||
env=s.app_env,
|
||||
owner_emails=sorted(s.owner_emails()),
|
||||
require_email_verification=s.require_email_verification,
|
||||
user_count=user_count or 0,
|
||||
tree_count=tree_count or 0,
|
||||
default_llm_provider=s.default_llm_provider,
|
||||
ai_providers=[ConfiguredProvider(**p) for p in configured_llm_providers()],
|
||||
)
|
||||
@@ -1,15 +1,21 @@
|
||||
from fastapi import APIRouter, File, Form, Response, UploadFile
|
||||
|
||||
from app.api.deps import CurrentUser, ObjectStoreDep, SessionDep
|
||||
from app.api.deps import CurrentUser, ObjectStoreDep, SessionDep, is_instance_owner
|
||||
from app.schemas.user import UserRead, UserSelfPersonUpdate
|
||||
from app.services import account_service, user_service
|
||||
|
||||
router = APIRouter(prefix="/users", tags=["users"])
|
||||
|
||||
|
||||
def _me(user) -> UserRead:
|
||||
out = UserRead.model_validate(user)
|
||||
out.is_instance_owner = is_instance_owner(user)
|
||||
return out
|
||||
|
||||
|
||||
@router.get("/me", response_model=UserRead)
|
||||
async def read_me(current: CurrentUser) -> UserRead:
|
||||
return UserRead.model_validate(current)
|
||||
return _me(current)
|
||||
|
||||
|
||||
@router.patch("/me/self-person", response_model=UserRead)
|
||||
@@ -20,7 +26,7 @@ async def set_self_person(
|
||||
user = await user_service.set_self_person(
|
||||
session, user=current, person_id=data.self_person_id
|
||||
)
|
||||
return UserRead.model_validate(user)
|
||||
return _me(user)
|
||||
|
||||
|
||||
@router.get("/me/export")
|
||||
|
||||
@@ -22,6 +22,18 @@ class Settings(BaseSettings):
|
||||
version: str = "0.0.0"
|
||||
app_env: str = Field(default="development", description="development | production")
|
||||
|
||||
# --- Instance owner / operator ---
|
||||
# Email(s) of the instance owner(s) — the operator(s) who run this server.
|
||||
# The matching account(s) get instance-admin rights (instance-wide settings;
|
||||
# see /api/v1/admin). Comma-separated for several. Empty = no designated
|
||||
# owner (the instance has no operator account). Derived at request time, so
|
||||
# changing it takes effect immediately with no migration or DB state.
|
||||
owner_email: str = ""
|
||||
|
||||
def owner_emails(self) -> frozenset[str]:
|
||||
"""Normalized (lowercased, trimmed) owner emails; empty if none set."""
|
||||
return frozenset(e.strip().lower() for e in self.owner_email.split(",") if e.strip())
|
||||
|
||||
# SQLAlchemy async URL, e.g. postgresql+asyncpg://user:pass@host:5432/db
|
||||
database_url: str = Field(
|
||||
default="postgresql+asyncpg://provenance:provenance@localhost:5432/provenance",
|
||||
|
||||
@@ -0,0 +1,20 @@
|
||||
"""Instance-admin schemas. Operator-facing, owner-only — operational status and
|
||||
config, never tree data or PII (instance ownership doesn't bypass privacy)."""
|
||||
|
||||
from pydantic import BaseModel
|
||||
|
||||
from app.schemas.ai_policy import ConfiguredProvider
|
||||
|
||||
|
||||
class InstanceStatus(BaseModel):
|
||||
version: str
|
||||
env: str
|
||||
# Operator account(s) — the email(s) named in OWNER_EMAIL.
|
||||
owner_emails: list[str]
|
||||
require_email_verification: bool
|
||||
# Aggregate, non-identifying counts (live rows only).
|
||||
user_count: int
|
||||
tree_count: int
|
||||
# Instance-wide AI configuration (no secrets).
|
||||
default_llm_provider: str
|
||||
ai_providers: list[ConfiguredProvider]
|
||||
@@ -21,6 +21,9 @@ class UserRead(BaseModel):
|
||||
email_verified_at: datetime | None
|
||||
self_person_id: uuid.UUID | None = None
|
||||
created_at: datetime
|
||||
# Operational role, not a DB column: true when this account's email is named
|
||||
# in OWNER_EMAIL. Set by the API layer (see users.read_me).
|
||||
is_instance_owner: bool = False
|
||||
|
||||
|
||||
class UserSelfPersonUpdate(BaseModel):
|
||||
|
||||
Reference in New Issue
Block a user