diff --git a/ai-hub/app/api/dependencies.py b/ai-hub/app/api/dependencies.py
index 783f8f2..20d3ccc 100644
--- a/ai-hub/app/api/dependencies.py
+++ b/ai-hub/app/api/dependencies.py
@@ -34,6 +34,14 @@
status_code=status.HTTP_404_NOT_FOUND,
detail="User not found"
)
+
+ from app.config import settings
+ if not user.password_hash and not settings.OIDC_ENABLED:
+ raise HTTPException(
+ status_code=status.HTTP_403_FORBIDDEN,
+ detail="Account disabled: OIDC is inactive and no password is set."
+ )
+
return user
diff --git a/ai-hub/app/api/routes/admin.py b/ai-hub/app/api/routes/admin.py
index 1ed915c..b556f57 100644
--- a/ai-hub/app/api/routes/admin.py
+++ b/ai-hub/app/api/routes/admin.py
@@ -11,6 +11,18 @@
update: schemas.OIDCConfigUpdate,
admin = Depends(get_current_admin)
):
+ checking_disabled = False
+ if update.enabled is not None:
+ checking_disabled = not update.enabled
+ if update.allow_oidc_login is not None:
+ checking_disabled = not update.allow_oidc_login
+
+ if checking_disabled:
+ if not settings.ALLOW_PASSWORD_LOGIN:
+ raise HTTPException(status_code=400, detail="Cannot disable OIDC login while password login is also disabled.")
+ if not admin.password_hash:
+ raise HTTPException(status_code=400, detail="SafeGuard: Cannot disable OIDC! You do not have a local password set, which would lock you out of your Admin account.")
+
if update.enabled is not None:
settings.OIDC_ENABLED = update.enabled
if update.client_id is not None:
@@ -22,8 +34,6 @@
if update.redirect_uri is not None:
settings.OIDC_REDIRECT_URI = update.redirect_uri
if update.allow_oidc_login is not None:
- if not update.allow_oidc_login and not settings.ALLOW_PASSWORD_LOGIN:
- raise HTTPException(status_code=400, detail="Cannot disable OIDC login while password login is also disabled.")
settings.ALLOW_OIDC_LOGIN = update.allow_oidc_login
settings.save_to_yaml()
@@ -35,7 +45,8 @@
admin = Depends(get_current_admin)
):
if update.allow_password_login is not None:
- if not update.allow_password_login and not settings.ALLOW_OIDC_LOGIN:
+ is_oidc_active = settings.ALLOW_OIDC_LOGIN or settings.OIDC_ENABLED
+ if not update.allow_password_login and not is_oidc_active:
raise HTTPException(status_code=400, detail="Cannot disable password login while OIDC login is also disabled.")
settings.ALLOW_PASSWORD_LOGIN = update.allow_password_login
@@ -62,6 +73,10 @@
except Exception as e:
return {"success": False, "message": f"Failed to reach OIDC provider: {str(e)}"}
+ @router.get("/config/swarm/test/{nonce}", summary="Echo Swarm Nonce")
+ async def echo_swarm_nonce(nonce: str):
+ return {"nonce": nonce}
+
@router.post("/config/swarm/test", summary="Test Swarm Connection")
async def test_swarm_connection(
update: schemas.SwarmConfigUpdate,
@@ -71,16 +86,28 @@
raise HTTPException(status_code=400, detail="External endpoint is required for testing.")
import httpx
+ import uuid
try:
- # We try to reach the endpoint. Since it's gRPC, we might just do a TCP check
- # or a basic GET if it's behind a proxy that handles health checks.
- # For simplicity, we'll check if the protocol is valid and we can reach it.
- async with httpx.AsyncClient() as client:
- # Most swarm proxies will have a /health or just return 404/405 for GET on root
- response = await client.get(update.external_endpoint, timeout=5.0)
- return {"success": True, "message": f"Reached endpoint with status {response.status_code}"}
+ nonce = str(uuid.uuid4())
+ test_url = f"{update.external_endpoint.rstrip('/')}/api/v1/admin/config/swarm/test/{nonce}"
+
+ async with httpx.AsyncClient(verify=False) as client:
+ response = await client.get(test_url, timeout=10.0)
+
+ if response.status_code == 200:
+ data = response.json()
+ if data.get("nonce") == nonce:
+ return {"success": True, "message": "Successfully routed back to this hub instance!"}
+ else:
+ return {"success": False, "message": "Connected to an endpoint, but the verification signature did not match."}
+ else:
+ return {"success": False, "message": f"Endpoint reachable, but returned status {response.status_code}."}
+ except httpx.ConnectError:
+ return {"success": False, "message": "Failed to connect: Connection refused. Check if the domain/IP is correct and listening."}
+ except httpx.TimeoutException:
+ return {"success": False, "message": "Connection timed out. Check firewall or proxy settings."}
except Exception as e:
- return {"success": False, "message": f"Failed to connect: {str(e)}"}
+ return {"success": False, "message": f"Verification failed: {str(e)}"}
@router.put("/config/swarm", summary="Update Swarm Configuration")
async def update_swarm_config(
diff --git a/ai-hub/app/api/routes/user.py b/ai-hub/app/api/routes/user.py
index 87dd010..f5c6acb 100644
--- a/ai-hub/app/api/routes/user.py
+++ b/ai-hub/app/api/routes/user.py
@@ -83,10 +83,11 @@
Requires a valid user_id to be present in the request header.
"""
try:
- # In a real-world scenario, you would fetch user details from the DB using user_id
- # For this example, we return a mock response based on the presence of user_id
+ user : Optional[models.User] = services.user_service.get_user_by_id(db=db, user_id=user_id)
- user : Optional[models.User] = services.user_service.get_user_by_id(db=db, user_id=user_id) # Ensure user exists
+ if user and not user.password_hash and not settings.OIDC_ENABLED:
+ raise HTTPException(status_code=403, detail="Account disabled: OIDC is inactive and no password is set.")
+
email = user.email if user else None
is_anonymous = user is None
is_logged_in = user is not None
@@ -95,8 +96,11 @@
email=email,
is_logged_in=is_logged_in,
is_anonymous=is_anonymous,
- oidc_configured=settings.OIDC_ENABLED
+ oidc_configured=settings.OIDC_ENABLED,
+ allow_password_login=settings.ALLOW_PASSWORD_LOGIN
)
+ except HTTPException as he:
+ raise he
except Exception as e:
raise HTTPException(status_code=500, detail=f"An error occurred: {e}")
diff --git a/ai-hub/app/api/schemas.py b/ai-hub/app/api/schemas.py
index d0127ed..6a8f10c 100644
--- a/ai-hub/app/api/schemas.py
+++ b/ai-hub/app/api/schemas.py
@@ -25,6 +25,7 @@
is_logged_in: bool = Field(True, description="Indicates if the user is currently authenticated.")
is_anonymous: bool = Field(False, description="Indicates if the user is an anonymous user.")
oidc_configured: bool = Field(False, description="Whether OIDC SSO is enabled on the server.")
+ allow_password_login: bool = Field(True, description="Whether local password login is supported by the server.")
class UserProfile(BaseModel):
id: str
diff --git a/deployment/jerxie-prod/docker-compose.production.yml b/deployment/jerxie-prod/docker-compose.production.yml
index 64d1040..ed3330c 100644
--- a/deployment/jerxie-prod/docker-compose.production.yml
+++ b/deployment/jerxie-prod/docker-compose.production.yml
@@ -8,6 +8,8 @@
environment:
- HUB_PUBLIC_URL=https://ai.jerxie.com
- HUB_GRPC_ENDPOINT=ai.jerxie.com:443
+ - OIDC_ENABLED=true
+ - ALLOW_PASSWORD_LOGIN=false
- OIDC_CLIENT_ID=cortex-server
- OIDC_CLIENT_SECRET=aYc2j1lYUUZXkBFFUndnleZI
- OIDC_SERVER_URL=https://auth.jerxie.com
diff --git a/frontend/src/features/auth/pages/LoginPage.js b/frontend/src/features/auth/pages/LoginPage.js
index f8ff809..f79f316 100644
--- a/frontend/src/features/auth/pages/LoginPage.js
+++ b/frontend/src/features/auth/pages/LoginPage.js
@@ -6,6 +6,7 @@
const [isLoading, setIsLoading] = useState(false);
const [error, setError] = useState(null);
const [oidcEnabled, setOidcEnabled] = useState(false);
+ const [passwordEnabled, setPasswordEnabled] = useState(true);
// Local login state
const [email, setEmail] = useState('');
@@ -18,6 +19,9 @@
try {
const config = await getAuthConfig();
setOidcEnabled(config.oidc_configured);
+ if (config.allow_password_login !== undefined) {
+ setPasswordEnabled(config.allow_password_login);
+ }
} catch (err) {
console.error("Failed to fetch auth config", err);
}
@@ -147,59 +151,60 @@
)}
-
+ {passwordEnabled && (
+
+ )}
{oidcEnabled && (