portal: fix rate limits and onboarding

2026-01-02 01:34:18 -03:00 · 2026-01-02 01:34:18 -03:00 · a1fbfe604e
commit a1fbfe604e
parent 8460a28e5d
9 changed files with 274 additions and 15 deletions
--- a/backend/atlas_portal/rate_limit.py
+++ b/backend/atlas_portal/rate_limit.py
@ -4,18 +4,18 @@ import time

 from . import settings

-_ACCESS_REQUEST_RATE: dict[str, list[float]] = {}
+_RATE_BUCKETS: dict[str, dict[str, list[float]]] = {}


-def rate_limit_allow(ip: str) -> bool:
-    if settings.ACCESS_REQUEST_RATE_LIMIT <= 0:
+def rate_limit_allow(ip: str, *, key: str, limit: int, window_sec: int) -> bool:
+    if limit <= 0:
        return True
    now = time.time()
-    window_start = now - settings.ACCESS_REQUEST_RATE_WINDOW_SEC
-    bucket = _ACCESS_REQUEST_RATE.setdefault(ip, [])
+    window_start = now - window_sec
+    buckets_by_ip = _RATE_BUCKETS.setdefault(key, {})
+    bucket = buckets_by_ip.setdefault(ip, [])
    bucket[:] = [t for t in bucket if t >= window_start]
-    if len(bucket) >= settings.ACCESS_REQUEST_RATE_LIMIT:
+    if len(bucket) >= limit:
        return False
    bucket.append(now)
    return True
-
--- a/backend/atlas_portal/routes/access_requests.py
+++ b/backend/atlas_portal/routes/access_requests.py
@ -37,7 +37,12 @@ def register(app) -> None:
            return jsonify({"error": "server not configured"}), 503

        ip = request.remote_addr or "unknown"
-        if not rate_limit_allow(ip):
+        if not rate_limit_allow(
+            ip,
+            key="access_request_submit",
+            limit=settings.ACCESS_REQUEST_SUBMIT_RATE_LIMIT,
+            window_sec=settings.ACCESS_REQUEST_SUBMIT_RATE_WINDOW_SEC,
+        ):
            return jsonify({"error": "rate limited"}), 429

        username, email, note = _extract_request_payload()
@ -108,7 +113,12 @@ def register(app) -> None:
            return jsonify({"error": "server not configured"}), 503

        ip = request.remote_addr or "unknown"
-        if not rate_limit_allow(ip):
+        if not rate_limit_allow(
+            ip,
+            key="access_request_status",
+            limit=settings.ACCESS_REQUEST_STATUS_RATE_LIMIT,
+            window_sec=settings.ACCESS_REQUEST_STATUS_RATE_WINDOW_SEC,
+        ):
            return jsonify({"error": "rate limited"}), 429

        payload = request.get_json(silent=True) or {}
@ -119,11 +129,19 @@ def register(app) -> None:
        try:
            with connect() as conn:
                row = conn.execute(
-                    "SELECT status FROM access_requests WHERE request_code = %s",
+                    "SELECT status, username FROM access_requests WHERE request_code = %s",
                    (code,),
                ).fetchone()
                if not row:
                    return jsonify({"error": "not found"}), 404
-                return jsonify({"ok": True, "status": row["status"] or "unknown"})
+                status = row["status"] or "unknown"
+                response: dict[str, Any] = {
+                    "ok": True,
+                    "status": status,
+                    "username": row.get("username") or "",
+                }
+                if status == "approved":
+                    response["onboarding_url"] = f"/onboarding?code={code}"
+                return jsonify(response)
        except Exception:
            return jsonify({"error": "failed to load status"}), 502
--- a/backend/atlas_portal/routes/account.py
+++ b/backend/atlas_portal/routes/account.py
@ -19,7 +19,26 @@ def register(app) -> None:
            return resp

        username = g.keycloak_username
-        mailu_username = f"{username}@{settings.MAILU_DOMAIN}" if username else ""
+        mailu_username = ""
+        if g.keycloak_email and g.keycloak_email.lower().endswith(f"@{settings.MAILU_DOMAIN.lower()}"):
+            mailu_username = g.keycloak_email
+        elif username:
+            mailu_username = f"{username}@{settings.MAILU_DOMAIN}"
+
+        mailu_app_password = ""
+        if admin_client().ready() and username:
+            try:
+                user = admin_client().find_user(username)
+                user_id = (user or {}).get("id") or ""
+                if user_id:
+                    full = admin_client().get_user(str(user_id))
+                    attrs = full.get("attributes") or {}
+                    if isinstance(attrs, dict):
+                        values = attrs.get("mailu_app_password") or []
+                        if isinstance(values, list) and values:
+                            mailu_app_password = str(values[0])
+            except Exception:
+                mailu_app_password = ""

        mailu_status = "ready"
        jellyfin_status = "ready"
@ -31,7 +50,7 @@ def register(app) -> None:
        return jsonify(
            {
                "user": {"username": username, "email": g.keycloak_email, "groups": g.keycloak_groups},
-                "mailu": {"status": mailu_status, "username": mailu_username},
+                "mailu": {"status": mailu_status, "username": mailu_username, "app_password": mailu_app_password},
                "jellyfin": {"status": jellyfin_status, "username": username},
            }
        )
@ -79,4 +98,3 @@ def register(app) -> None:

        best_effort_post(settings.JELLYFIN_SYNC_URL)
        return jsonify({"password": password})
-
--- a/backend/atlas_portal/settings.py
+++ b/backend/atlas_portal/settings.py
@ -61,6 +61,14 @@ PORTAL_ADMIN_GROUPS = [g.strip() for g in os.getenv("PORTAL_ADMIN_GROUPS", "admi
 ACCESS_REQUEST_ENABLED = _env_bool("ACCESS_REQUEST_ENABLED", "true")
 ACCESS_REQUEST_RATE_LIMIT = int(os.getenv("ACCESS_REQUEST_RATE_LIMIT", "5"))
 ACCESS_REQUEST_RATE_WINDOW_SEC = int(os.getenv("ACCESS_REQUEST_RATE_WINDOW_SEC", str(60 * 60)))
+ACCESS_REQUEST_SUBMIT_RATE_LIMIT = int(
+    os.getenv("ACCESS_REQUEST_SUBMIT_RATE_LIMIT", str(ACCESS_REQUEST_RATE_LIMIT))
+)
+ACCESS_REQUEST_SUBMIT_RATE_WINDOW_SEC = int(
+    os.getenv("ACCESS_REQUEST_SUBMIT_RATE_WINDOW_SEC", str(ACCESS_REQUEST_RATE_WINDOW_SEC))
+)
+ACCESS_REQUEST_STATUS_RATE_LIMIT = int(os.getenv("ACCESS_REQUEST_STATUS_RATE_LIMIT", "60"))
+ACCESS_REQUEST_STATUS_RATE_WINDOW_SEC = int(os.getenv("ACCESS_REQUEST_STATUS_RATE_WINDOW_SEC", "60"))

 MAILU_DOMAIN = os.getenv("MAILU_DOMAIN", "bstein.dev")
 MAILU_SYNC_URL = os.getenv(
--- a/frontend/src/router.js
+++ b/frontend/src/router.js
@ -7,6 +7,7 @@ import MoneroView from "./views/MoneroView.vue";
 import AppsView from "./views/AppsView.vue";
 import AccountView from "./views/AccountView.vue";
 import RequestAccessView from "./views/RequestAccessView.vue";
+import OnboardingView from "./views/OnboardingView.vue";

 export default createRouter({
  history: createWebHistory(),
@ -20,5 +21,6 @@ export default createRouter({
    { path: "/apps", name: "apps", component: AppsView },
    { path: "/account", name: "account", component: AccountView },
    { path: "/request-access", name: "request-access", component: RequestAccessView },
+    { path: "/onboarding", name: "onboarding", component: OnboardingView },
  ],
 });
--- a/frontend/src/views/AccountView.vue
+++ b/frontend/src/views/AccountView.vue
@ -46,6 +46,22 @@
          </button>
        </div>

+        <div v-if="mailu.currentPassword" class="secret-box">
+          <div class="secret-head">
+            <div class="pill mono">Current password</div>
+            <div class="secret-actions">
+              <button class="copy mono" type="button" @click="copy(mailu.currentPassword)">copy</button>
+              <button class="copy mono" type="button" @click="mailu.revealPassword = !mailu.revealPassword">
+                {{ mailu.revealPassword ? "hide" : "show" }}
+              </button>
+            </div>
+          </div>
+          <div class="mono secret">{{ mailu.revealPassword ? mailu.currentPassword : "••••••••••••••••" }}</div>
+          <div class="hint mono">Use this in your mail client (IMAP/SMTP).</div>
+        </div>
+
+        <div v-else class="hint mono">No app password set yet. Rotate to generate one.</div>
+
        <div v-if="mailu.newPassword" class="secret-box">
          <div class="secret-head">
            <div class="pill mono pill-warn">Show once</div>
@ -153,6 +169,8 @@ const mailu = reactive({
  imap: "mail.bstein.dev:993 (TLS)",
  smtp: "mail.bstein.dev:587 (STARTTLS)",
  username: "",
+  currentPassword: "",
+  revealPassword: false,
  rotating: false,
  newPassword: "",
  error: "",
@ -194,6 +212,7 @@ async function refreshOverview() {
    const data = await resp.json();
    mailu.status = data.mailu?.status || "ready";
    mailu.username = data.mailu?.username || auth.username;
+    mailu.currentPassword = data.mailu?.app_password || "";
    jellyfin.status = data.jellyfin?.status || "ready";
    jellyfin.username = data.jellyfin?.username || auth.username;
  } catch (err) {
@ -236,6 +255,8 @@ async function rotateMailu() {
    const data = await resp.json().catch(() => ({}));
    if (!resp.ok) throw new Error(data.error || `status ${resp.status}`);
    mailu.newPassword = data.password || "";
+    mailu.currentPassword = mailu.newPassword;
+    mailu.revealPassword = true;
    mailu.status = "updated";
  } catch (err) {
    mailu.error = err.message || "Rotation failed";
@ -428,6 +449,12 @@ button.primary {
  margin-bottom: 8px;
 }

+.secret-actions {
+  display: inline-flex;
+  align-items: center;
+  gap: 8px;
+}
+
 .secret {
  word-break: break-word;
  color: var(--text-strong);
--- a/frontend/src/views/HomeView.vue
+++ b/frontend/src/views/HomeView.vue
@ -28,7 +28,7 @@
              <span class="pill mono">k3s cluster</span>
            </div>
            <iframe
-              src="https://metrics.bstein.dev/d-solo/atlas-overview/atlas-overview?from=now-24h&to=now&refresh=1m&orgId=1&theme=dark&panelId=27&__feature.dashboardSceneSolo"
+              src="https://metrics.bstein.dev/d-solo/atlas-overview/atlas-overview?from=now-24h&to=now&refresh=1m&theme=dark&panelId=27&__feature.dashboardSceneSolo"
              width="100%"
              height="180"
              frameborder="0"
--- a/frontend/src/views/OnboardingView.vue
+++ b/frontend/src/views/OnboardingView.vue
@ -0,0 +1,180 @@
+<template>
+  <div class="page">
+    <section class="card hero glass">
+      <div>
+        <p class="eyebrow">Atlas</p>
+        <h1>Onboarding</h1>
+        <p class="lede">Use your request code to view status and next steps.</p>
+      </div>
+    </section>
+
+    <section class="card module">
+      <div class="module-head">
+        <h2>Request Code</h2>
+        <span class="pill mono" :class="status ? 'pill-ok' : 'pill-warn'">
+          {{ status || "unknown" }}
+        </span>
+      </div>
+
+      <div class="status-form">
+        <input v-model="requestCode" class="input mono" type="text" placeholder="username~XXXXXXXXXX" :disabled="loading" />
+        <button class="primary" type="button" @click="check" :disabled="loading || !requestCode.trim()">
+          {{ loading ? "Checking..." : "Check" }}
+        </button>
+      </div>
+
+      <div v-if="status === 'approved'" class="steps">
+        <h3>Next steps</h3>
+        <ol>
+          <li>Log in at <a href="https://cloud.bstein.dev" target="_blank" rel="noreferrer">cloud.bstein.dev</a>.</li>
+          <li>Use your Keycloak username/password to access services.</li>
+          <li>If something doesn't work, contact the Atlas admin.</li>
+        </ol>
+      </div>
+
+      <div v-if="status === 'denied'" class="steps">
+        <h3>Denied</h3>
+        <p class="muted">This request was denied. Contact the Atlas admin if you think this is a mistake.</p>
+      </div>
+
+      <div v-if="error" class="error-box">
+        <div class="mono">{{ error }}</div>
+      </div>
+    </section>
+  </div>
+</template>
+
+<script setup>
+import { onMounted, ref } from "vue";
+import { useRoute } from "vue-router";
+
+const route = useRoute();
+
+const requestCode = ref("");
+const status = ref("");
+const loading = ref(false);
+const error = ref("");
+
+async function check() {
+  if (loading.value) return;
+  error.value = "";
+  loading.value = true;
+  try {
+    const resp = await fetch("/api/access/request/status", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ request_code: requestCode.value.trim() }),
+    });
+    const data = await resp.json().catch(() => ({}));
+    if (!resp.ok) throw new Error(data.error || resp.statusText || `status ${resp.status}`);
+    status.value = data.status || "unknown";
+  } catch (err) {
+    error.value = err.message || "Failed to check status";
+  } finally {
+    loading.value = false;
+  }
+}
+
+onMounted(async () => {
+  const code = route.query.code || route.query.request_code || "";
+  if (typeof code === "string" && code.trim()) {
+    requestCode.value = code.trim();
+    await check();
+  }
+});
+</script>
+
+<style scoped>
+.page {
+  max-width: 960px;
+  margin: 0 auto;
+  padding: 32px 22px 72px;
+}
+
+.hero {
+  margin-bottom: 12px;
+  padding: 18px;
+}
+
+.eyebrow {
+  text-transform: uppercase;
+  letter-spacing: 0.08em;
+  color: var(--text-muted);
+  margin: 0 0 6px;
+  font-size: 13px;
+}
+
+h1 {
+  margin: 0 0 6px;
+  font-size: 32px;
+}
+
+.lede {
+  margin: 0;
+  color: var(--text-muted);
+  max-width: 640px;
+}
+
+.module {
+  padding: 18px;
+}
+
+.module-head {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 18px;
+}
+
+.status-form {
+  display: flex;
+  gap: 10px;
+  margin-top: 12px;
+}
+
+.input {
+  flex: 1;
+  padding: 10px 12px;
+  border-radius: 10px;
+  border: 1px solid rgba(255, 255, 255, 0.14);
+  background: rgba(0, 0, 0, 0.25);
+  color: var(--text-primary);
+}
+
+button.primary {
+  background: linear-gradient(90deg, #4f8bff, #7dd0ff);
+  color: #0b1222;
+  padding: 10px 14px;
+  border: none;
+  border-radius: 10px;
+  cursor: pointer;
+  font-weight: 700;
+}
+
+.steps {
+  margin-top: 16px;
+}
+
+.steps h3 {
+  margin: 0 0 8px;
+}
+
+.steps ol {
+  margin: 0;
+  padding-left: 18px;
+  color: var(--text-muted);
+}
+
+.muted {
+  color: var(--text-muted);
+}
+
+.error-box {
+  margin-top: 12px;
+  border-radius: 12px;
+  border: 1px solid rgba(255, 87, 87, 0.5);
+  background: rgba(255, 87, 87, 0.06);
+  padding: 10px 12px;
+}
+</style>
+
--- a/frontend/src/views/RequestAccessView.vue
+++ b/frontend/src/views/RequestAccessView.vue
@ -105,6 +105,10 @@
            {{ checking ? "Checking..." : "Check" }}
          </button>
        </div>
+
+        <div v-if="status === 'approved' && onboardingUrl" class="actions" style="margin-top: 12px;">
+          <a class="primary" :href="onboardingUrl">Continue onboarding</a>
+        </div>
      </div>

      <div v-if="error" class="error-box">
@ -134,6 +138,7 @@ const statusForm = reactive({
 });
 const checking = ref(false);
 const status = ref("");
+const onboardingUrl = ref("");

 async function submit() {
  if (submitting.value) return;
@ -186,6 +191,7 @@ async function checkStatus() {
    const data = await resp.json().catch(() => ({}));
    if (!resp.ok) throw new Error(data.error || resp.statusText || `status ${resp.status}`);
    status.value = data.status || "unknown";
+    onboardingUrl.value = data.onboarding_url || "";
  } catch (err) {
    error.value = err.message || "Failed to check status";
  } finally {