From 14ec2fe283eb2963878c7f4dc0f04ec968332ba5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Dec 2023 11:12:47 +0100 Subject: [PATCH 1/5] Bump setuptools from 68.0.0 to 69.0.3 (#567) Bumps [setuptools](https://github.com/pypa/setuptools) from 68.0.0 to 69.0.3. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v68.0.0...v69.0.3) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements_pypi.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements_pypi.txt b/requirements_pypi.txt index 0b861b17..c421496c 100644 --- a/requirements_pypi.txt +++ b/requirements_pypi.txt @@ -1,3 +1,3 @@ -setuptools==68.0.0 +setuptools==69.0.3 twine==4.0.2 wheel==0.41.1 From 498ce7bad10cfb57f42dc0f72839392b1be1f721 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Dec 2023 11:13:46 +0100 Subject: [PATCH 2/5] Bump httpx from 0.24.1 to 0.26.0 (#568) Bumps [httpx](https://github.com/encode/httpx) from 0.24.1 to 0.26.0. - [Release notes](https://github.com/encode/httpx/releases) - [Changelog](https://github.com/encode/httpx/blob/master/CHANGELOG.md) - [Commits](https://github.com/encode/httpx/compare/0.24.1...0.26.0) --- updated-dependencies: - dependency-name: httpx dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index c5a390d2..fad2fa1e 100644 --- a/requirements.txt +++ b/requirements.txt @@ -16,7 +16,7 @@ pyyaml==6.0.1 requests==2.31.0 shortuuid==1.0.11 uvicorn==0.23.2 -httpx==0.24.1 +httpx==0.26.0 pyotritonclient==0.2.6 fakeredis==2.20.0 redis==4.6.0 From 7bd39abc634081c88a6f44a221292946505aaa34 Mon Sep 17 00:00:00 2001 From: Wei Ouyang Date: Thu, 18 Jan 2024 17:12:05 +0100 Subject: [PATCH 3/5] Add docs for setting up auth0 authentication (#578) --- docs/getting-started.md | 2 ++ docs/setup-authentication.md | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 docs/setup-authentication.md diff --git a/docs/getting-started.md b/docs/getting-started.md index 7054a2bd..38fea628 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -307,6 +307,8 @@ In the previous example, we registered a public service (`config.visibility = "p 1. Connecting to the Same Workspace: Set `config.visibility` to `"private"`. Authorization is achieved by generating a token from the client that registered the service (using `server.config.workspace` and `server.generate_token()`). Another client can connect to the same workspace using the token (`connect_to_server({"workspace": xxxx, "token": xxxx, "server_url": xxxx})`). 2. Using User Context: When registering a service, set `config.require_context` to `True` and `config.visibility` to `"public"` (or `"private"` to limit access for clients from the same workspace). Each service function needs to accept a keyword argument called `context`. The server will provide the context information containing `user` for each service function call. The service function can then check whether `context.user["id"]` is allowed to access the service. On the client side, you need to log in and generate a token by calling the `login({"server_url": xxxx})` function. The token is then used in `connect_to_server({"token": xxxx, "server_url": xxxx})`. +By default, hypha server uses a user authentication system based on [Auth0](https://auth0.com) controlled by us. You can also setup your own auth0 account to use it with your own hypha server. See [Setup Authentication](./setup-authentication) for more details. + ### Custom Initialization and Service Integration with Hypha Server Hypha's flexibility allows services to be registered from scripts running on the same host as the server or on a different one. To further accommodate complex applications, Hypha supports the initiation of "built-in" services in conjunction with server startup. This can be achieved using the `--startup-functions` option. diff --git a/docs/setup-authentication.md b/docs/setup-authentication.md new file mode 100644 index 00000000..495cf86a --- /dev/null +++ b/docs/setup-authentication.md @@ -0,0 +1,35 @@ +## Setup Authentication + +Internally, Hypha uses auth0 to manage authentication. This allows us to use a variety of authentication providers, including Google, GitHub. + +The default setting in hypha uses common auth0 setting managed by us, but you can also setup your own auth0 account and use it. + +### Setup Auth0 Authentication + +To set up your own account, follow these steps: + - go to https://auth0.com/ and create an account, or re-use an existing Github or Google Account. + - For the first time, you will be asked to create a "Tenant Domain" and choose a "Region", choose any name for the domain (e.g. hypha), and choose a suitable for the region (e.g. US or EU). Then click "Create". + - After that you should be logged in to the auth0 dashboard. Click on "Applications" on the left menu, and then click on "Create Application". + - Give your application a name (e.g. hypha), and choose "Single Page Web Applications" as the application type. Then click "Create". + - Now go to the "Settings" tab of your application, and copy the "Domain" and "Client ID" values to create environment variables for running Hypha: + ``` + AUTH0_CLIENT_ID=hMIMGeUvEHkVmi4KlGDSKfRPuGW43ypc # replace with your own value from the "Settings" tab + AUTH0_DOMAIN=hypha.eu.auth0.com # replace with your own value from the "Settings" tab + AUTH0_AUDIENCE=https://hypha.eu.auth0.com/api/v2/ # replace 'hypha.eu.auth0.com' to your own auth0 domain + AUTH0_ISSUER=https://hypha.amun.ai/ # keep it or replace 'hypha.amun.ai' to any website you want to use as the issuer + AUTH0_NAMESPACE=https://hypha.amun.ai/ # keep it or replace 'hypha.amun.ai' to any identifier you want to use as the namespace + ``` + You can either set the environment variables in your system, or create a `.env` file in the root directory of Hypha, and add the above lines to the file. + - Importantly, you also need to configure your own hypha server domain so Auth0 will allow it to login from your own domain. + For example, if you want to serve hypha server at https://my-company.com, you need to set the following in "Settings" tab: + * scroll down to the "Allowed Callback URLs" section, and add the following URLs: https://my-company.com + * scroll down to the "Allowed Logout URLs" section, and add the following URLs: https://my-company.com/public/apps/hypha-login/ + * scroll down to the "Allowed Web Origins" section, and add the following URLs: https://my-company.com + * scroll down to the "Allowed Origins (CORS)" section, and add the following URLs: https://my-company.com + For local development, you can also add `http://127.0.0.1:9000` to the above URLs, separated by comma. For example, "Allowed Callback URLs" can be `https://my-company.com,http://http://127.0.0.1:9000`. + - Now you can start the hypha server (with the AUTH0 environment variables, via `python3 -m hypha.server --host=0.0.0.0 --port=9000`), and you should be able to test it by going to https://my-company.com/public/apps/hypha-login/ (replace with your own domain) or http://127.0.0.1:9000/public/apps/hypha-login. + - By default, auth0 will provide a basic username-password-authentication which will store user information at auth0. You can also add other authentication providers (e.g. Google, Github) in the "Authenticaiton" tab of your application in Auth0 dashboard. + * In order to add Google, click "Social", click "Create Connection", find Google/Gmail, and click "Continue", you will need to obtain the Client ID by following the instructions in the "How to obtain a Client ID" below the "Client ID" field. + * Similarily, you can add Github by clicking "Social", click "Create Connection", find Github, and click "Continue", you will need to obtain the Client ID by following the instructions in the "How to obtain a Client ID" below the "Client ID" field. In the permissions section, it is recommended to check "Email address" so that Hypha can get the email address of the user. + +Feel free to also customize the login page, and other settings in Auth0 dashboard. From 2c51e8dc573532e672e78965f3587b525759fb84 Mon Sep 17 00:00:00 2001 From: Wei Ouyang Date: Wed, 24 Jan 2024 13:13:12 +0100 Subject: [PATCH 4/5] Add oauth proxy (#579) * Add docs for setting up auth0 authentication * Add oauth proxy * Corret json response * Fix oauth token response * Add debug information for token proxy * bump version * Fix dependency --- hypha/VERSION | 2 +- hypha/http.py | 30 ++++++++++++++++++++++++++++-- requirements.txt | 1 + setup.py | 1 + tests/test_services.py | 2 -- 5 files changed, 31 insertions(+), 5 deletions(-) diff --git a/hypha/VERSION b/hypha/VERSION index 7daf417f..0e216516 100644 --- a/hypha/VERSION +++ b/hypha/VERSION @@ -1,3 +1,3 @@ { - "version": "0.15.35" + "version": "0.15.36" } diff --git a/hypha/http.py b/hypha/http.py index 7aaec608..d3c75561 100644 --- a/hypha/http.py +++ b/hypha/http.py @@ -4,12 +4,13 @@ import traceback from typing import Any +import httpx import msgpack from fastapi import APIRouter, Depends, Request -from fastapi.responses import JSONResponse, Response +from fastapi.responses import JSONResponse, Response, RedirectResponse from imjoy_rpc.hypha import RPC -from hypha.core.auth import login_optional +from hypha.core.auth import login_optional, AUTH0_DOMAIN from hypha.core.store import RedisStore from hypha.utils import GzipRoute @@ -73,6 +74,31 @@ def __init__(self, store: RedisStore) -> None: router = APIRouter() router.route_class = GzipRoute self.store = store + + @router.get("/authorize") + async def auth_proxy(request: Request): + # Construct the full URL for the Auth0 authorize endpoint with the query parameters + auth0_authorize_url = f"https://{AUTH0_DOMAIN}/authorize?{request.query_params}" + + # Redirect the client to the constructed URL + return RedirectResponse(url=auth0_authorize_url) + + + @router.post("/oauth/token") + async def token_proxy(request: Request): + form_data = await request.form() + async with httpx.AsyncClient() as client: + auth0_response = await client.post( + f"https://{AUTH0_DOMAIN}/oauth/token", + data=form_data, + headers={"Content-Type": "application/x-www-form-urlencoded"} + ) + + return JSONResponse( + status_code=200, + content=auth0_response.json() + ) + @router.get("/workspaces") async def get_all_workspaces( diff --git a/requirements.txt b/requirements.txt index fad2fa1e..ec7f3225 100644 --- a/requirements.txt +++ b/requirements.txt @@ -12,6 +12,7 @@ pydantic[email]==1.10.9 pymultihash==0.8.2 python-dotenv==0.21.1 python-jose==3.3.0 +python-multipart==0.0.6 pyyaml==6.0.1 requests==2.31.0 shortuuid==1.0.11 diff --git a/setup.py b/setup.py index 0d6ff944..edb80309 100644 --- a/setup.py +++ b/setup.py @@ -21,6 +21,7 @@ "lxml", "python-dotenv>=0.19.0", "python-jose>=3.3.0", + "python-multipart>=0.0.6", "pyyaml", "fakeredis>=2.14.1", "shortuuid>=1.0.1", diff --git a/tests/test_services.py b/tests/test_services.py index 119d5038..3d9f9288 100644 --- a/tests/test_services.py +++ b/tests/test_services.py @@ -1,7 +1,5 @@ """Test services.""" import pytest -import requests -import asyncio import httpx from imjoy_rpc.hypha import login, connect_to_server From 307716ca06437bff25e2ff8c8533363e9fe10d1a Mon Sep 17 00:00:00 2001 From: Craig Russell Date: Thu, 8 Feb 2024 17:12:42 +0000 Subject: [PATCH 5/5] Quick n dirty fix for permissions issues on k8s (#588) --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index bbb10d05..f04d457e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ WORKDIR /home RUN mkdir /home/bin && \ cd /home/bin && wget https://dl.min.io/server/minio/release/linux-amd64/minio && \ wget https://dl.min.io/client/mc/release/linux-amd64/mc && \ - chmod -R 777 /home/bin + chmod -R 777 /home RUN mkdir /.mc && \ chmod -R 777 /.mc RUN apt-get update && apt-get install -y --no-install-recommends \