AI-Cognitive-Leap/agnes-the-ai-analyst
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
agnes-the-ai-analyst/app/auth/providers/google.py
Vojtech 2e2e1a1eca
feat(home): state-aware /home + /setup-advanced + schema v26 (#228) 
* feat(home+news): state-aware /home + /news + admin-edited news section

Squash of the vr/home-page feature work for clean rebase onto main.
Original 18-commit history preserved in branch backup/vr-home-page-pre-rebase.

What's in this PR:

**State-aware /home page**
- New `/home` route with hero + auto-mode + connectors (Asana / GWS /
  Atlassian) + lookarounds. Onboarded vs not-onboarded state-machine
  branches a single template (`home_not_onboarded.html`); the install
  steps, "Setup a new Claude Code" CTA (90-day PAT mint), and per-
  connector setup prompts hide once `users.onboarded=TRUE`. A
  completion badge replaces them.
- "Mark me as offboarded" button reverses the flag without an SQL UPDATE.
- `users.onboarded BOOLEAN` column added; default FALSE; flipped by the
  CLI's `agnes init` post-success POST and the `/admin/users` API.
- Connector setup prompts pre-check whether the tool is already
  installed/connected before re-running setup.
- GWS scope set widened to include Google Chat (`chat.spaces`,
  `chat.messages`).

**Single template + design tokens**
- `dashboard.html` now extends `base.html` via the new
  `{% block layout %}` opt-out (full-width pages skip the 800px
  `.container`). Net: every page shares one shell.
- `style-custom.css` `:root` extended with `--space-{7,9,10,12}`,
  `--radius-2xl`, `--shadow-{card,elevated}`, `--text-{muted,disabled}`,
  `--focus-ring`, `--transition-*`, `--width-{narrow,app,wide}` so
  inline page styles can migrate incrementally.

**Auth redirects honor AGNES_HOME_ROUTE**
- `safe_next_path` resolves the configured home route when no `default=`
  is passed; OAuth callbacks, magic-link clicks, password form, and
  LOCAL_DEV_MODE shortcuts now land on `/home` (or whatever the operator
  picked) instead of always /dashboard.

**News section + /news permalink + /admin/news editor**
- Schema-bumped `news_template` table (single versioned entity, draft +
  publish gate). `published BOOLEAN` distinguishes draft from public;
  monotonically-increasing `version` per save; rows >30d pruned on
  save except the currently-displayed published version.
- `/home` bottom-of-page renders the latest published intro with a
  "Read more →" link to `/news` (which renders the full body).
- `/admin/news` editor with sandboxed live preview, versions table,
  per-row Unpublish, Format-help cheatsheet.
- `agnes admin news show / draft / edit / publish / unpublish /
  versions / export` (CLI). Talks to the live server via the
  `/api/admin/news/*` endpoints (PAT-authed) — no direct DB access
  so it coexists with a running uvicorn.
- **Optimistic-lock guard**: `agnes admin news publish --version N` and
  PUT/PATCH endpoints accept `expected_version` and 409 with structured
  `{error: "version_conflict", expected, actual, actual_by}` when a
  concurrent admin replaced the draft. Edit refuses to overwrite a
  draft authored by someone else without `--force` or
  `--expect-version`.
- nh3 (Rust-backed ammonia) HTML sanitizer; iframe pre-pass strips
  any iframe whose src is not on the YouTube/Vimeo/Loom allowlist;
  javascript:/data: schemes blocked everywhere.
- Author CSS vocabulary: `.news-hero` (blue gradient hero block),
  `.callout`/`.callout-{info,warn,success,danger}`,
  `.video-embed`, `.news-section`, `.news-grid-{2,3}`, `.news-cta` —
  all consolidated in `style-custom.css` under "News content
  vocabulary (shared)" so /home perex, /news body, and /admin/news
  preview share one source of styling.
- Code-inside-`<pre>` contrast fix (was unreadable amber-on-silver).
- `.news-content` table styling (border, header band, row-hover).

**`scripts/dev/run-local.sh`** — local uvicorn launcher. Pulls Google
OAuth client id/secret from GCP Secret Manager
(`AGNES_OAUTH_GCP_PROJECT`-driven, no vendor defaults), points
`AGNES_CLI_DIST_DIR` at `./dist` so the wheel endpoint resolves, and
`--dev` flips `LOCAL_DEV_MODE=1` + `AGNES_HOME_ROUTE=/home` for one-
command iteration. `LOCAL_DEV_MODE=1` also enables the FastAPI debug
toolbar.

**CLAUDE.md "Run tests before every push" section** codifies
`pytest tests/ -n auto -q` as non-negotiable before each push.

**Tests**: 51 + 14 + 8 = 73 new tests across news-template repo,
sanitizer, API, web, CLI; plus updated home/auth/template tests for
the new shared-shell architecture.

Origin docs (gitignored, customer-fork content):
docs/brainstorms/home-page-requirements.md,
docs/plans/2026-05-07-001-feat-home-page-plan.md.

* feat(cli): agnes onboarded {on,off,status} — self-scoped flag toggle

User-facing equivalent of the in-page "Mark me as (off)boarded" button
on /home. POSTs /api/me/onboarded with {onboarded, source}; --source
overrides the audit-log marker so flips made from the CLI vs the web
button vs agnes init automation stay distinguishable.

`status` reads via /api/me/profile (when present); falls back to a
quick body-marker scan of /home so the read path doesn't write an
audit_log row. PAT-authed via cli.client.api_post — same convention
as agnes admin news / agnes admin add-user etc.

Tests: 5 covering on/off/status round-trip, idempotency, and
audit-log source recording. Full suite holds at 12 pre-existing
failures (same set as before).

* ui(nav+home): primary nav reorg + green What's new band + /marketplace link fix

Primary nav (post-rebase audit + per-user feedback):

- Items: Home → Marketplace → Data Packages → Memory. Admin dropdown
  for admins only. The "Dashboard" label was renamed Home — point still
  resolves through `home_route` so customer instances on /dashboard
  still land there.
- Activity Center moved into the Admin dropdown. Per-team adoption
  analytics is admin-consumed in practice; the route still allows
  any authed user for direct deep-links so existing /home tile +
  bookmarks keep working.
- Memory link added (→ /corporate-memory) — was previously buried in
  the /home "Look around" tiles.
- Setup local agent + My Stack dropped from main nav. Setup is the
  /home install flow's home now; My Stack lives as a tab inside
  /marketplace.

/home tweaks:

- Plugin marketplace tile now points at /marketplace (was /store —
  legacy from before the marketplace rebrand landed in #230).
- "What's new" section header gets a green band (success-flavored
  D1FAE5 background, A7F3D0 border, darker green title) so the
  bottom-of-page news block visibly distinguishes from the blue
  install-hero at the top. Header strip only — body stays white.

Test fix: test_home_route_resolution renamed `dashboard_link_uses_home_route`
→ `home_link_uses_home_route` and asserts `href="/home">Home` instead
of `href="/home">Dashboard` after the label change.

* fix(home): decouple Step 3 + Connect-tools collapse from server onboarded flag

The server-side `users.onboarded` flip happens through two paths:

1. Explicit user click on "Mark me as onboarded" or `agnes onboarded on`.
2. Implicit `agnes init` POST → /api/me/onboarded on success.

Path 2 produced a UX surprise: an analyst running `agnes init` mid-flow
reloaded /home and saw Step 3 (auto-mode) + Connect-your-tools auto-
collapse to summary bars. They were actively working through those
sections — the install POST never signalled "I'm done with the rest
of setup", just "Agnes itself is installed".

Decouple the section-collapse decision from the server flag:

- Step 1 + Step 2 install blocks: still hidden on `onboarded=TRUE`
  (their completion is a hard server signal — Agnes IS installed).
- Step 3 + Connect-your-tools: render flat by default in BOTH states.
  Wrapped in `<details class="setup-collapsible" open>` so the
  browser's native disclosure handles per-section toggle without JS,
  but the `<summary>` is CSS-hidden until the page-level
  `data-setup-minimized="1"` attribute is set on `.home-mock`.
- New "Minimize setup view" toggle inside the blue install-hero,
  rendered only when onboarded. Click flips the data-attr on
  `.home-mock` AND removes the `open` attribute from each
  `<details>`. State persists in `localStorage["agnes_home_setup_minimized"]`
  so the choice survives reloads but is per-device.
- "Show full setup view" (the same button when minimized) re-opens
  both `<details>` and clears localStorage.

When minimized, each `<details>` still has its own native expand/
collapse — click the gray summary bar to peek at one section without
toggling the page-level minimize off.

Tests:
- test_step3_and_connectors_render_flat_when_onboarded_by_default —
  asserts `<details class="setup-collapsible" ... open>` for both
  sections post-onboarding and the absence of any server-rendered
  `data-setup-minimized` attribute on the `.home-mock` root.
- test_minimize_toggle_visible_only_when_onboarded — toggle button
  rendered only when onboarded.

Full pytest holds at 12 pre-existing failures (same set).
2026-05-08 18:28:47 +02:00

238 lines
9.8 KiB
Python
Raw Blame History

"""Google OAuth provider for FastAPI.
Group memberships are sourced via Application Default Credentials in
``app.auth.group_sync.fetch_user_groups`` (no per-user OAuth scope needed for
that path), so the OAuth flow only handles authentication and returns a
session JWT. Membership writes go to ``user_group_members``.
"""
import os
import logging
from authlib.integrations.starlette_client import OAuth
from fastapi import APIRouter, Request
from fastapi.responses import RedirectResponse
from app.auth.jwt import create_access_token
from app.auth._common import safe_next_path
from app.instance_config import get_allowed_domains
logger = logging.getLogger(__name__)
router = APIRouter(prefix="/auth/google", tags=["auth"])
oauth = OAuth()
GOOGLE_CLIENT_ID = os.environ.get("GOOGLE_CLIENT_ID", "")
GOOGLE_CLIENT_SECRET = os.environ.get("GOOGLE_CLIENT_SECRET", "")
def is_available() -> bool:
return bool(GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET)
def _setup_oauth():
if not is_available():
return
oauth.register(
name="google",
client_id=GOOGLE_CLIENT_ID,
client_secret=GOOGLE_CLIENT_SECRET,
server_metadata_url="https://accounts.google.com/.well-known/openid-configuration",
client_kwargs={"scope": "openid email profile"},
)
_setup_oauth()
@router.get("/login")
async def google_login(request: Request):
"""Redirect to Google OAuth.
Honors `?next=<path>` by stashing the sanitized value in the session so the
callback can redirect there instead of the default /dashboard. The session
is the right stash — OAuth flow is stateful and the `state` param is
managed by Authlib.
"""
if not is_available():
return RedirectResponse(url="/login?error=google_not_configured")
next_path = safe_next_path(request.query_params.get("next"), default="")
if next_path:
request.session["login_next"] = next_path
else:
# Clear any stale value from an earlier aborted attempt.
request.session.pop("login_next", None)
redirect_uri = str(request.url_for("google_callback"))
return await oauth.google.authorize_redirect(request, redirect_uri)
@router.get("/callback")
async def google_callback(request: Request):
"""Handle Google OAuth callback."""
if not is_available():
return RedirectResponse(url="/login?error=google_not_configured")
try:
token = await oauth.google.authorize_access_token(request)
user_info = token.get("userinfo", {})
email = user_info.get("email", "")
name = user_info.get("name", "")
if not email:
return RedirectResponse(url="/login?error=no_email")
# Domain check
allowed = get_allowed_domains()
if allowed:
domain = email.split("@")[-1]
if domain not in allowed:
return RedirectResponse(url="/login?error=domain_not_allowed")
# Find or create user, sync Workspace group memberships into
# user_group_members.
from src.db import (
get_system_db,
SYSTEM_ADMIN_GROUP,
SYSTEM_EVERYONE_GROUP,
)
from src.repositories.users import UserRepository
from src.repositories.user_groups import UserGroupsRepository
from src.repositories.user_group_members import UserGroupMembersRepository
from app.auth.group_sync import fetch_user_groups
import uuid
# Optional Workspace-group prefix filter + system-group mapping. Read
# per-request so test fixtures and operators can flip via env without
# restarting the process. Empty prefix = legacy behavior (mirror all).
prefix = os.environ.get(
"AGNES_GOOGLE_GROUP_PREFIX", ""
).strip().lower()
admin_email = os.environ.get(
"AGNES_GROUP_ADMIN_EMAIL", ""
).strip().lower()
everyone_email = os.environ.get(
"AGNES_GROUP_EVERYONE_EMAIL", ""
).strip().lower()
conn = get_system_db()
try:
repo = UserRepository(conn)
user = repo.get_by_email(email)
if not user:
user_id = str(uuid.uuid4())
repo.create(id=user_id, email=email, name=name)
user = repo.get_by_email(email)
if not bool(user.get("active", True)):
return RedirectResponse(url="/login?error=deactivated")
# Sync Workspace groups → user_group_members (source='google_sync').
# Fail-soft: any error leaves the previous membership snapshot in
# place; admin-added rows survive regardless.
members_repo = UserGroupMembersRepository(conn)
try:
group_names = fetch_user_groups(email)
# `fetch_user_groups` is fail-soft and returns [] for both
# "user genuinely has no groups" and "transient API failure".
# Empty result is treated as "no change": preserve the
# previous snapshot rather than wiping it on a transient
# hiccup. Admin-added rows survive regardless.
if not group_names:
logger.info(
"Google group sync for %s: empty result, "
"preserving existing memberships",
email,
)
else:
# Lower-cased Workspace email of each group; comparisons
# against admin_email/everyone_email/prefix are all
# case-insensitive.
fetched = [g.lower() for g in group_names]
if prefix:
relevant = [g for g in fetched if g.startswith(prefix)]
else:
relevant = list(fetched)
# Login gate: prefix is set AND fetch returned a
# non-empty list AND none of those groups match the
# prefix → user is signed into Google but is not a
# member of any group permitted to use this Agnes
# instance. Pass-through-on-empty-fetch is preserved
# above (transient API failures must not lock users
# out), so this branch fires only when we got a real
# answer that excluded them.
if prefix and not relevant:
logger.info(
"Google login denied for %s: no group with "
"prefix %r in %s",
email, prefix, fetched,
)
return RedirectResponse(
url="/login?error=not_in_allowed_group"
)
ug_repo = UserGroupsRepository(conn)
group_ids: list[str] = []
for email_addr in relevant:
if admin_email and email_addr == admin_email:
sys_admin = ug_repo.get_by_name(
SYSTEM_ADMIN_GROUP
)
if sys_admin:
group_ids.append(sys_admin["id"])
continue
if everyone_email and email_addr == everyone_email:
sys_everyone = ug_repo.get_by_name(
SYSTEM_EVERYONE_GROUP
)
if sys_everyone:
group_ids.append(sys_everyone["id"])
continue
# Regular synced group: name = full email. ensure()
# is get-or-create-by-name and stamps
# created_by='system:google-sync' on first create.
g = ug_repo.ensure(email_addr)
group_ids.append(g["id"])
members_repo.replace_google_sync_groups(
user["id"], group_ids, added_by="system:google-sync",
)
logger.info(
"Google group sync for %s: %d group(s) "
"(filtered from %d fetched, prefix=%r) [%s]",
email, len(group_ids), len(fetched), prefix,
", ".join(relevant),
)
except Exception as sync_err: # noqa: BLE001 - fail-soft by design
logger.warning(
"Google group sync failed for %s: %s", email, sync_err
)
finally:
conn.close()
# Issue JWT — identity-only, authorization derives from
# user_group_members at request time (see app.auth.access).
jwt_token = create_access_token(user["id"], user["email"])
# Redirect to the post-login target. Prefer the value stashed by
# google_login() — re-sanitize defensively in case of session tampering.
# default=None → safe_next_path resolves to the operator-configured
# home route (AGNES_HOME_ROUTE / instance.home_route / /dashboard).
target = safe_next_path(request.session.pop("login_next", None))
# Redirect to target with token in cookie. Match password/email providers:
# Secure only when DOMAIN is set (production with TLS), so the cookie is
# actually sent over plain HTTP in dev.
use_secure = os.environ.get("DOMAIN", "") != ""
response = RedirectResponse(url=target, status_code=302)
response.set_cookie(
key="access_token", value=jwt_token,
httponly=True, max_age=86400, samesite="lax",
secure=use_secure,
)
return response
except Exception as e:
logger.error(f"Google OAuth error: {e}")
return RedirectResponse(url="/login?error=oauth_failed")
Reference in a new issue View git blame Copy permalink