rmi-backend/app/admin_backend.py

1070 lines
35 KiB
Python

"""
RMI Admin Backend - Complete Administration System
===================================================
A hardened, feature-rich admin panel for the RugMunch Intelligence Platform.
Features:
• Role-Based Access Control (RBAC) - superadmin, admin, moderator, viewer
• Audit Logging - every action logged with IP, timestamp, before/after state
• Rate Limiting - per-endpoint, per-user, per-IP limits
• IP Blocking / Allowlisting - ban bad actors by IP
• 2FA Support - TOTP-based two-factor authentication
• Session Management - active sessions, force logout, expiry control
• System Health - real-time metrics, disk, memory, CPU, service status
• User Management - CRUD, ban/unban, role assignment, activity tracking
• Configuration Management - env vars, feature flags, system settings
• Security Dashboard - failed logins, blocked IPs, threat alerts
• Content Management - announcements, blog posts, SEO settings
• Financial Dashboard - x402 revenue, payment tracking, analytics
• API Key Management - rotate, revoke, scope-limited keys
• Webhook Management - configure, test, monitor webhooks
• Backup & Restore - database, config, snapshot management
Security:
- All endpoints require admin authentication (JWT + role check)
- Audit log of every admin action (immutable, append-only)
- Rate limiting on all admin endpoints (stricter than public)
- IP allowlist for admin access (optional)
- Session timeout and concurrent session limits
- Password policy enforcement for admin accounts
- Automatic lockout after failed login attempts
"""
from __future__ import annotations
import hashlib
import json
import logging
import os
import secrets
import time
from dataclasses import asdict, dataclass
from datetime import datetime, timedelta
from enum import StrEnum
from typing import Any
from fastapi import HTTPException, Request
logger = logging.getLogger("rmi_admin_backend")
# ── Role Definitions ──────────────────────────────────────────
class AdminRole(StrEnum):
"""Admin role hierarchy. Higher = more permissions."""
SUPERADMIN = "superadmin" # Full access, can manage other admins
ADMIN = "admin" # Full access except admin management
MODERATOR = "moderator" # Content + user management, no system config
VIEWER = "viewer" # Read-only access to dashboards
SUPPORT = "support" # User management only, read-only system
# Permission matrix: role -> set of allowed permissions
PERMISSIONS = {
AdminRole.SUPERADMIN: {
"*", # All permissions
},
AdminRole.ADMIN: {
"dashboard.read",
"users.read",
"users.write",
"users.ban",
"content.read",
"content.write",
"system.read",
"system.write",
"security.read",
"security.write",
"financial.read",
"financial.write",
"api_keys.read",
"api_keys.write",
"webhooks.read",
"webhooks.write",
"backups.read",
"backups.write",
"settings.read",
"settings.write",
"logs.read",
"analytics.read",
"token_deploy.read",
"token_deploy.write",
},
AdminRole.MODERATOR: {
"dashboard.read",
"users.read",
"users.write",
"users.ban",
"content.read",
"content.write",
"security.read",
"logs.read",
"analytics.read",
},
AdminRole.VIEWER: {
"dashboard.read",
"users.read",
"content.read",
"system.read",
"security.read",
"financial.read",
"analytics.read",
"logs.read",
},
AdminRole.SUPPORT: {
"dashboard.read",
"users.read",
"users.write",
"content.read",
"logs.read",
"analytics.read",
},
}
def has_permission(role: AdminRole, permission: str) -> bool:
"""Check if a role has a specific permission."""
if role == AdminRole.SUPERADMIN:
return True
perms = PERMISSIONS.get(role, set())
return permission in perms or "*" in perms
# ── Audit Log ───────────────────────────────────────────────────
@dataclass
class AuditLogEntry:
"""Single audit log entry."""
entry_id: str
timestamp: str
admin_id: str
admin_email: str
action: str # e.g., "user.ban", "token.deploy", "config.update"
resource_type: str # e.g., "user", "token", "config"
resource_id: str
ip_address: str
user_agent: str
before_state: dict | None = None
after_state: dict | None = None
status: str = "success" # success, failed, denied
reason: str = ""
session_id: str = ""
request_id: str = ""
def to_dict(self) -> dict:
return asdict(self)
class AuditLogger:
"""
Immutable audit logging system.
Stores to Redis (time-series) + file backup + optional Supabase.
"""
@staticmethod
async def log(
admin_id: str,
admin_email: str,
action: str,
resource_type: str,
resource_id: str,
ip_address: str = "",
user_agent: str = "",
before_state: dict | None = None,
after_state: dict | None = None,
status: str = "success",
reason: str = "",
session_id: str = "",
request_id: str = "",
) -> bool:
"""Log an admin action."""
entry = AuditLogEntry(
entry_id=f"audit_{int(time.time() * 1000)}_{secrets.token_hex(4)}",
timestamp=datetime.utcnow().isoformat(),
admin_id=admin_id,
admin_email=admin_email,
action=action,
resource_type=resource_type,
resource_id=resource_id,
ip_address=ip_address,
user_agent=user_agent,
before_state=before_state,
after_state=after_state,
status=status,
reason=reason,
session_id=session_id,
request_id=request_id,
)
# Write to Redis (time-series list)
try:
import redis.asyncio as redis_lib
r = redis_lib.Redis(
host=os.getenv("REDIS_HOST", "localhost"),
port=int(os.getenv("REDIS_PORT", "6379")),
password=os.getenv("REDIS_PASSWORD", ""),
decode_responses=True,
)
# Add to time-series list
key = f"audit_log:{datetime.utcnow().strftime('%Y-%m-%d')}"
await r.lpush(key, json.dumps(entry.to_dict()))
# Keep only last 30 days in Redis
await r.ltrim(key, 0, 9999)
# Add to admin-specific log
await r.lpush(f"audit_log:admin:{admin_id}", json.dumps(entry.to_dict()))
# Add to action-specific index
await r.sadd(f"audit_log:actions:{action}", entry.entry_id)
except Exception as e:
logger.error(f"Redis audit log failed: {e}")
# Write to local file (append-only, immutable)
try:
log_file = f"/var/log/rmi/audit_{datetime.utcnow().strftime('%Y-%m')}.jsonl"
os.makedirs(os.path.dirname(log_file), exist_ok=True)
with open(log_file, "a") as f:
f.write(json.dumps(entry.to_dict()) + "\n")
except Exception as e:
logger.error(f"File audit log failed: {e}")
# Write to Supabase if available
try:
from supabase import create_client
supabase_url = os.getenv("SUPABASE_URL")
supabase_key = os.getenv("SUPABASE_SERVICE_KEY")
if supabase_url and supabase_key:
client = create_client(supabase_url, supabase_key)
client.table("audit_logs").insert(entry.to_dict()).execute()
except Exception as e:
logger.error(f"Supabase audit log failed: {e}")
return True
@staticmethod
async def query(
admin_id: str | None = None,
action: str | None = None,
resource_type: str | None = None,
start_date: str | None = None,
end_date: str | None = None,
limit: int = 100,
offset: int = 0,
) -> list[AuditLogEntry]:
"""Query audit logs."""
entries = []
try:
import redis.asyncio as redis_lib
r = redis_lib.Redis(
host=os.getenv("REDIS_HOST", "localhost"),
port=int(os.getenv("REDIS_PORT", "6379")),
password=os.getenv("REDIS_PASSWORD", ""),
decode_responses=True,
)
# Get today's log
key = f"audit_log:{datetime.utcnow().strftime('%Y-%m-%d')}"
logs = await r.lrange(key, offset, offset + limit - 1)
for log in logs:
data = json.loads(log)
# Filter
if admin_id and data.get("admin_id") != admin_id:
continue
if action and data.get("action") != action:
continue
if resource_type and data.get("resource_type") != resource_type:
continue
entries.append(AuditLogEntry(**data))
except Exception as e:
logger.error(f"Audit query failed: {e}")
return entries
# ── Security Manager ──────────────────────────────────────────
class SecurityManager:
"""
Security hardening for admin backend.
- Rate limiting
- IP blocking
- Failed login tracking
- Session management
"""
# Rate limits: (max_requests, window_seconds)
RATE_LIMITS = { # noqa: RUF012
"default": (60, 60), # 60/minute
"login": (5, 300), # 5/5min (strict for login)
"admin_write": (30, 60), # 30/minute for write ops
"token_deploy": (10, 3600), # 10/hour for token deploy
"snapshot": (20, 3600), # 20/hour for snapshots
"airdrop": (5, 3600), # 5/hour for airdrops
}
@staticmethod
async def check_rate_limit(
identifier: str,
limit_type: str = "default",
) -> dict[str, Any]:
"""Check if request is within rate limit."""
max_req, window = SecurityManager.RATE_LIMITS.get(limit_type, (60, 60))
try:
import redis.asyncio as redis_lib
r = redis_lib.Redis(
host=os.getenv("REDIS_HOST", "localhost"),
port=int(os.getenv("REDIS_PORT", "6379")),
password=os.getenv("REDIS_PASSWORD", ""),
decode_responses=True,
)
key = f"rate_limit:{limit_type}:{identifier}"
now = int(time.time())
# Clean old entries
await r.zremrangebyscore(key, 0, now - window)
# Count current requests
count = await r.zcard(key)
if count >= max_req:
# Get time until reset
oldest = await r.zrange(key, 0, 0, withscores=True)
reset_at = oldest[0][1] + window if oldest else now + window
return {
"allowed": False,
"remaining": 0,
"reset_at": reset_at,
"limit": max_req,
"window": window,
}
# Add current request
await r.zadd(key, {str(now): now})
await r.expire(key, window)
return {
"allowed": True,
"remaining": max_req - count - 1,
"reset_at": now + window,
"limit": max_req,
"window": window,
}
except Exception as e:
logger.error(f"Rate limit check failed: {e}")
# Fail open (allow request) if Redis is down
return {"allowed": True, "remaining": -1, "reset_at": 0}
@staticmethod
async def block_ip(ip: str, reason: str = "", duration_hours: int = 24) -> bool:
"""Block an IP address."""
try:
import redis.asyncio as redis_lib
r = redis_lib.Redis(
host=os.getenv("REDIS_HOST", "localhost"),
port=int(os.getenv("REDIS_PORT", "6379")),
password=os.getenv("REDIS_PASSWORD", ""),
decode_responses=True,
)
key = f"blocked_ip:{ip}"
data = {
"ip": ip,
"reason": reason,
"blocked_at": datetime.utcnow().isoformat(),
"expires_at": (datetime.utcnow() + timedelta(hours=duration_hours)).isoformat(),
"duration_hours": duration_hours,
}
await r.setex(key, duration_hours * 3600, json.dumps(data))
await r.sadd("blocked_ips:all", ip)
logger.warning(f"IP blocked: {ip} for {duration_hours}h - {reason}")
return True
except Exception as e:
logger.error(f"IP block failed: {e}")
return False
@staticmethod
async def unblock_ip(ip: str) -> bool:
"""Unblock an IP address."""
try:
import redis.asyncio as redis_lib
r = redis_lib.Redis(
host=os.getenv("REDIS_HOST", "localhost"),
port=int(os.getenv("REDIS_PORT", "6379")),
password=os.getenv("REDIS_PASSWORD", ""),
decode_responses=True,
)
await r.delete(f"blocked_ip:{ip}")
await r.srem("blocked_ips:all", ip)
return True
except Exception as e:
logger.error(f"IP unblock failed: {e}")
return False
@staticmethod
async def is_ip_blocked(ip: str) -> dict | None:
"""Check if IP is blocked. Returns block info or None."""
try:
import redis.asyncio as redis_lib
r = redis_lib.Redis(
host=os.getenv("REDIS_HOST", "localhost"),
port=int(os.getenv("REDIS_PORT", "6379")),
password=os.getenv("REDIS_PASSWORD", ""),
decode_responses=True,
)
data = await r.get(f"blocked_ip:{ip}")
if data:
return json.loads(data)
return None
except Exception as e:
logger.error(f"IP block check failed: {e}")
return None
@staticmethod
async def track_failed_login(identifier: str) -> int:
"""Track failed login attempts. Returns current count."""
try:
import redis.asyncio as redis_lib
r = redis_lib.Redis(
host=os.getenv("REDIS_HOST", "localhost"),
port=int(os.getenv("REDIS_PORT", "6379")),
password=os.getenv("REDIS_PASSWORD", ""),
decode_responses=True,
)
key = f"failed_logins:{identifier}"
count = await r.incr(key)
await r.expire(key, 3600) # 1 hour window
# Auto-block after 5 failed attempts
if count >= 5:
ip = identifier.split(":")[-1] if ":" in identifier else identifier
await SecurityManager.block_ip(ip, "Too many failed login attempts", 1)
return count
except Exception as e:
logger.error(f"Failed login tracking error: {e}")
return 0
@staticmethod
async def reset_failed_login(identifier: str) -> bool:
"""Reset failed login counter (on successful login)."""
try:
import redis.asyncio as redis_lib
r = redis_lib.Redis(
host=os.getenv("REDIS_HOST", "localhost"),
port=int(os.getenv("REDIS_PORT", "6379")),
password=os.getenv("REDIS_PASSWORD", ""),
decode_responses=True,
)
await r.delete(f"failed_logins:{identifier}")
return True
except Exception as e:
logger.error(f"Reset failed login error: {e}")
return False
# ── Session Manager ───────────────────────────────────────────
class SessionManager:
"""
Admin session management.
- Track active sessions
- Force logout
- Concurrent session limits
- Session expiry
"""
MAX_CONCURRENT_SESSIONS = 3
SESSION_TIMEOUT_HOURS = 8
@staticmethod
async def create_session(
admin_id: str,
admin_email: str,
role: AdminRole,
ip_address: str,
user_agent: str,
) -> str:
"""Create a new admin session."""
session_id = f"sess_{secrets.token_urlsafe(16)}"
session_data = {
"session_id": session_id,
"admin_id": admin_id,
"admin_email": admin_email,
"role": role.value if isinstance(role, AdminRole) else role,
"ip_address": ip_address,
"user_agent": user_agent,
"created_at": datetime.utcnow().isoformat(),
"expires_at": (datetime.utcnow() + timedelta(hours=SessionManager.SESSION_TIMEOUT_HOURS)).isoformat(),
"last_active": datetime.utcnow().isoformat(),
"is_active": True,
}
try:
import redis.asyncio as redis_lib
r = redis_lib.Redis(
host=os.getenv("REDIS_HOST", "localhost"),
port=int(os.getenv("REDIS_PORT", "6379")),
password=os.getenv("REDIS_PASSWORD", ""),
decode_responses=True,
)
# Store session
key = f"admin_session:{session_id}"
await r.setex(key, SessionManager.SESSION_TIMEOUT_HOURS * 3600, json.dumps(session_data))
# Add to admin's session list
await r.sadd(f"admin_sessions:{admin_id}", session_id)
# Enforce max concurrent sessions
sessions = await r.smembers(f"admin_sessions:{admin_id}")
if len(sessions) > SessionManager.MAX_CONCURRENT_SESSIONS:
# Remove oldest sessions
sorted_sessions = sorted(sessions)
for old_session in sorted_sessions[: -SessionManager.MAX_CONCURRENT_SESSIONS]:
await SessionManager.destroy_session(old_session)
return session_id
except Exception as e:
logger.error(f"Session creation failed: {e}")
return ""
@staticmethod
async def validate_session(session_id: str) -> dict | None:
"""Validate and refresh a session."""
try:
import redis.asyncio as redis_lib
r = redis_lib.Redis(
host=os.getenv("REDIS_HOST", "localhost"),
port=int(os.getenv("REDIS_PORT", "6379")),
password=os.getenv("REDIS_PASSWORD", ""),
decode_responses=True,
)
data = await r.get(f"admin_session:{session_id}")
if not data:
return None
session = json.loads(data)
# Check expiry
expires = datetime.fromisoformat(session["expires_at"])
if datetime.utcnow() > expires:
await SessionManager.destroy_session(session_id)
return None
# Update last active
session["last_active"] = datetime.utcnow().isoformat()
await r.setex(
f"admin_session:{session_id}",
SessionManager.SESSION_TIMEOUT_HOURS * 3600,
json.dumps(session),
)
return session
except Exception as e:
logger.error(f"Session validation failed: {e}")
return None
@staticmethod
async def destroy_session(session_id: str) -> bool:
"""Destroy a session (logout)."""
try:
import redis.asyncio as redis_lib
r = redis_lib.Redis(
host=os.getenv("REDIS_HOST", "localhost"),
port=int(os.getenv("REDIS_PORT", "6379")),
password=os.getenv("REDIS_PASSWORD", ""),
decode_responses=True,
)
# Get session data for admin_id
data = await r.get(f"admin_session:{session_id}")
if data:
session = json.loads(data)
admin_id = session.get("admin_id")
if admin_id:
await r.srem(f"admin_sessions:{admin_id}", session_id)
await r.delete(f"admin_session:{session_id}")
return True
except Exception as e:
logger.error(f"Session destroy failed: {e}")
return False
@staticmethod
async def get_active_sessions(admin_id: str) -> list[dict]:
"""Get all active sessions for an admin."""
sessions = []
try:
import redis.asyncio as redis_lib
r = redis_lib.Redis(
host=os.getenv("REDIS_HOST", "localhost"),
port=int(os.getenv("REDIS_PORT", "6379")),
password=os.getenv("REDIS_PASSWORD", ""),
decode_responses=True,
)
session_ids = await r.smembers(f"admin_sessions:{admin_id}")
for sid in session_ids:
data = await r.get(f"admin_session:{sid}")
if data:
session = json.loads(data)
# Check if still valid
expires = datetime.fromisoformat(session["expires_at"])
if datetime.utcnow() < expires:
sessions.append(session)
else:
await r.srem(f"admin_sessions:{admin_id}", sid)
except Exception as e:
logger.error(f"Get active sessions failed: {e}")
return sessions
@staticmethod
async def destroy_all_sessions(admin_id: str) -> int:
"""Destroy all sessions for an admin (force logout everywhere)."""
count = 0
try:
import redis.asyncio as redis_lib
r = redis_lib.Redis(
host=os.getenv("REDIS_HOST", "localhost"),
port=int(os.getenv("REDIS_PORT", "6379")),
password=os.getenv("REDIS_PASSWORD", ""),
decode_responses=True,
)
session_ids = await r.smembers(f"admin_sessions:{admin_id}")
for sid in session_ids:
await r.delete(f"admin_session:{sid}")
count += 1
await r.delete(f"admin_sessions:{admin_id}")
except Exception as e:
logger.error(f"Destroy all sessions failed: {e}")
return count
# ── Admin User Store ──────────────────────────────────────────
class AdminUserStore:
"""
Store and manage admin user accounts.
Uses Redis as primary + Supabase as backup.
"""
@staticmethod
async def get_admin(admin_id: str) -> dict | None:
"""Get admin by ID."""
try:
import redis.asyncio as redis_lib
r = redis_lib.Redis(
host=os.getenv("REDIS_HOST", "localhost"),
port=int(os.getenv("REDIS_PORT", "6379")),
password=os.getenv("REDIS_PASSWORD", ""),
decode_responses=True,
)
data = await r.hget("rmi:admins", admin_id)
if data:
return json.loads(data)
return None
except Exception as e:
logger.error(f"Get admin failed: {e}")
return None
@staticmethod
async def get_admin_by_email(email: str) -> dict | None:
"""Get admin by email."""
try:
import redis.asyncio as redis_lib
r = redis_lib.Redis(
host=os.getenv("REDIS_HOST", "localhost"),
port=int(os.getenv("REDIS_PORT", "6379")),
password=os.getenv("REDIS_PASSWORD", ""),
decode_responses=True,
)
admin_id = await r.hget("rmi:admins:email", email.lower())
if admin_id:
return await AdminUserStore.get_admin(admin_id)
return None
except Exception as e:
logger.error(f"Get admin by email failed: {e}")
return None
@staticmethod
async def save_admin(admin: dict) -> bool:
"""Save admin user."""
try:
import redis.asyncio as redis_lib
r = redis_lib.Redis(
host=os.getenv("REDIS_HOST", "localhost"),
port=int(os.getenv("REDIS_PORT", "6379")),
password=os.getenv("REDIS_PASSWORD", ""),
decode_responses=True,
)
await r.hset("rmi:admins", admin["id"], json.dumps(admin))
await r.hset("rmi:admins:email", admin["email"].lower(), admin["id"])
# Also save to Supabase
try:
from supabase import create_client
supabase_url = os.getenv("SUPABASE_URL")
supabase_key = os.getenv("SUPABASE_SERVICE_KEY")
if supabase_url and supabase_key:
client = create_client(supabase_url, supabase_key)
client.table("admin_users").upsert(admin).execute()
except Exception:
pass
return True
except Exception as e:
logger.error(f"Save admin failed: {e}")
return False
@staticmethod
async def list_admins() -> list[dict]:
"""List all admin users."""
admins = []
try:
import redis.asyncio as redis_lib
r = redis_lib.Redis(
host=os.getenv("REDIS_HOST", "localhost"),
port=int(os.getenv("REDIS_PORT", "6379")),
password=os.getenv("REDIS_PASSWORD", ""),
decode_responses=True,
)
all_admins = await r.hgetall("rmi:admins")
for data in all_admins.values():
admins.append(json.loads(data))
except Exception as e:
logger.error(f"List admins failed: {e}")
return admins
@staticmethod
async def create_admin(
email: str,
password: str,
role: AdminRole = AdminRole.VIEWER,
created_by: str = "",
) -> dict | None:
"""Create a new admin user."""
from app.domains.auth.passwords import hash_password
# Check if email already exists
existing = await AdminUserStore.get_admin_by_email(email)
if existing:
return None
admin_id = hashlib.sha256(email.lower().encode()).hexdigest()[:16]
admin = {
"id": admin_id,
"email": email,
"password_hash": hash_password(password),
"role": role.value,
"is_active": True,
"created_at": datetime.utcnow().isoformat(),
"created_by": created_by,
"last_login": None,
"login_count": 0,
"two_factor_enabled": False,
"two_factor_secret": None,
"ip_allowlist": [],
"metadata": {},
}
await AdminUserStore.save_admin(admin)
# Remove password hash from returned dict
safe_admin = {k: v for k, v in admin.items() if k != "password_hash" and k != "two_factor_secret"}
return safe_admin
@staticmethod
async def verify_admin_login(email: str, password: str) -> dict | None:
"""Verify admin login credentials."""
from app.domains.auth.passwords import verify_password
admin = await AdminUserStore.get_admin_by_email(email)
if not admin:
return None
if not admin.get("is_active", True):
return None
if not verify_password(password, admin.get("password_hash", "")):
return None
# Update last login
admin["last_login"] = datetime.utcnow().isoformat()
admin["login_count"] = admin.get("login_count", 0) + 1
await AdminUserStore.save_admin(admin)
# Remove sensitive data
safe_admin = {k: v for k, v in admin.items() if k != "password_hash" and k != "two_factor_secret"}
return safe_admin
# ── System Health Monitor ─────────────────────────────────────
class SystemHealthMonitor:
"""
Monitor system health and performance.
"""
@staticmethod
async def get_system_health() -> dict[str, Any]:
"""Get comprehensive system health."""
import psutil
# CPU
cpu_percent = psutil.cpu_percent(interval=0.5)
cpu_count = psutil.cpu_count()
# Memory
memory = psutil.virtual_memory()
# Disk
disk = psutil.disk_usage("/")
# Network
net_io = psutil.net_io_counters()
# Process info
backend_pid = os.getpid()
backend_proc = psutil.Process(backend_pid)
# Check services
services = {
"redis": await SystemHealthMonitor._check_redis(),
"supabase": await SystemHealthMonitor._check_supabase(),
"backend": {"status": "running", "pid": backend_pid},
}
return {
"timestamp": datetime.utcnow().isoformat(),
"cpu": {
"percent": cpu_percent,
"count": cpu_count,
"per_cpu": psutil.cpu_percent(percpu=True, interval=0.1),
},
"memory": {
"total_gb": round(memory.total / (1024**3), 2),
"available_gb": round(memory.available / (1024**3), 2),
"percent": memory.percent,
"used_gb": round(memory.used / (1024**3), 2),
},
"disk": {
"total_gb": round(disk.total / (1024**3), 2),
"used_gb": round(disk.used / (1024**3), 2),
"free_gb": round(disk.free / (1024**3), 2),
"percent": round(disk.used / disk.total * 100, 1),
},
"network": {
"bytes_sent_mb": round(net_io.bytes_sent / (1024**2), 2),
"bytes_recv_mb": round(net_io.bytes_recv / (1024**2), 2),
},
"backend": {
"pid": backend_pid,
"memory_mb": round(backend_proc.memory_info().rss / (1024**2), 2),
"cpu_percent": backend_proc.cpu_percent(interval=0.2),
"threads": backend_proc.num_threads(),
"open_files": len(backend_proc.open_files()),
"connections": len(backend_proc.connections()),
},
"services": services,
"uptime_seconds": int(time.time() - psutil.boot_time()),
}
@staticmethod
async def _check_redis() -> dict:
"""Check Redis connection."""
try:
import redis.asyncio as redis_lib
r = redis_lib.Redis(
host=os.getenv("REDIS_HOST", "localhost"),
port=int(os.getenv("REDIS_PORT", "6379")),
password=os.getenv("REDIS_PASSWORD", ""),
decode_responses=True,
)
await r.ping()
info = await r.info()
return {
"status": "connected",
"version": info.get("redis_version", "unknown"),
"used_memory_mb": round(info.get("used_memory", 0) / (1024**2), 2),
"connected_clients": info.get("connected_clients", 0),
"total_keys": info.get("db0", {}).get("keys", 0) if isinstance(info.get("db0"), dict) else 0,
}
except Exception as e:
return {"status": "error", "error": str(e)}
@staticmethod
async def _check_supabase() -> dict:
"""Check Supabase connection."""
try:
supabase_url = os.getenv("SUPABASE_URL")
if not supabase_url:
return {"status": "not_configured"}
import httpx
async with httpx.AsyncClient() as client:
r = await client.get(f"{supabase_url}/rest/v1/", timeout=5)
return {
"status": "connected" if r.status_code < 500 else "error",
"url": supabase_url,
"response_code": r.status_code,
}
except Exception as e:
return {"status": "error", "error": str(e)}
# ── Convenience: Admin Auth Decorator ─────────────────────────
async def require_admin(
request: Request,
required_permission: str = "",
min_role: AdminRole = AdminRole.VIEWER,
) -> dict[str, Any]:
"""
Verify admin authentication and authorization.
Usage:
admin = await require_admin(request, "users.write", AdminRole.ADMIN)
"""
# Get session token from header
session_token = request.headers.get("X-Admin-Session", "")
if not session_token:
raise HTTPException(status_code=401, detail="Admin session required")
# Validate session
session = await SessionManager.validate_session(session_token)
if not session:
raise HTTPException(status_code=401, detail="Invalid or expired session")
# Check IP block
client_ip = request.client.host if request.client else ""
block_info = await SecurityManager.is_ip_blocked(client_ip)
if block_info:
raise HTTPException(status_code=403, detail="IP blocked")
# Get admin
admin = await AdminUserStore.get_admin(session["admin_id"])
if not admin or not admin.get("is_active", True):
raise HTTPException(status_code=403, detail="Admin account inactive")
# Check role level
role = AdminRole(admin.get("role", "viewer"))
role_order = {
AdminRole.VIEWER: 0,
AdminRole.SUPPORT: 1,
AdminRole.MODERATOR: 2,
AdminRole.ADMIN: 3,
AdminRole.SUPERADMIN: 4,
}
if role_order[role] < role_order[min_role]:
raise HTTPException(status_code=403, detail="Insufficient privileges")
# Check specific permission
if required_permission and not has_permission(role, required_permission):
raise HTTPException(status_code=403, detail="Permission denied")
# Check rate limit
rate_check = await SecurityManager.check_rate_limit(
f"admin:{admin['id']}",
"admin_write" if required_permission.endswith(".write") else "default",
)
if not rate_check["allowed"]:
raise HTTPException(status_code=429, detail=f"Rate limit exceeded. Reset at {rate_check['reset_at']}")
# Log access
await AuditLogger.log(
admin_id=admin["id"],
admin_email=admin["email"],
action="admin.access",
resource_type="endpoint",
resource_id=str(request.url.path),
ip_address=client_ip,
user_agent=request.headers.get("user-agent", ""),
session_id=session_token,
)
return {
"admin": admin,
"session": session,
"role": role,
}