implement challenge verification flow with altcha integration and add challenge page

2026-03-22 00:16:18 +00:00 · 2026-03-18 08:56:48 -03:00
parent 0bd4136b5f
commit 5c5375cb9a
10 changed files with 325 additions and 2 deletions
--- a/containers/auth-gateway/auth_gateway/web/challenge_routes.py
+++ b/containers/auth-gateway/auth_gateway/web/challenge_routes.py
@@ -0,0 +1,67 @@
+from urllib.parse import urlsplit
+
+from auth_gateway.services.challenge_service import (
+    CHALLENGE_COOKIE_NAME,
+    generate_altcha_challenge,
+    generate_challenge_cookie,
+    verify_altcha_solution,
+)
+from fastapi import APIRouter, Form, Request
+from fastapi.responses import HTMLResponse, JSONResponse, RedirectResponse
+
+router = APIRouter()
+
+
+def _safe_next(url: str | None, external_path: str) -> str:
+    if not url:
+        return f"{external_path}/login"
+    parts = urlsplit(url)
+    if parts.scheme or parts.netloc:
+        return f"{external_path}/login"
+    path = parts.path or "/"
+    if not path.startswith("/"):
+        return f"{external_path}/login"
+    return f"{path}?{parts.query}" if parts.query else path
+
+
+@router.get("/challenge", response_class=HTMLResponse)
+async def challenge_page(request: Request, next: str = "/"):
+    external_path = request.app.state.settings.external_path
+    return request.app.state.templates.TemplateResponse(
+        "challenge.html",
+        {"request": request, "external_path": external_path, "next": next},
+    )
+
+
+@router.get("/challenge/data")
+async def challenge_data(request: Request):
+    hmac_key = request.app.state.settings.challenge_secret
+    challenge = generate_altcha_challenge(hmac_key)
+    return JSONResponse(challenge)
+
+
+@router.post("/challenge/verify")
+async def challenge_verify(request: Request, next: str = Form("/"), altcha: str = Form(...)):
+    hmac_key = request.app.state.settings.challenge_secret
+    external_path = request.app.state.settings.external_path
+
+    if not verify_altcha_solution(altcha, hmac_key):
+        return request.app.state.templates.TemplateResponse(
+            "challenge.html",
+            {"request": request, "external_path": external_path, "next": next, "error": True},
+            status_code=400,
+        )
+
+    cookie_value = generate_challenge_cookie(hmac_key)
+    safe_next = _safe_next(next, external_path)
+    response = RedirectResponse(safe_next, status_code=303)
+    response.set_cookie(
+        key=CHALLENGE_COOKIE_NAME,
+        value=cookie_value,
+        httponly=True,
+        secure=request.app.state.settings.secure_cookies,
+        samesite="strict",
+        path="/",
+        max_age=300,
+    )
+    return response