Replace L2 JWT auth with OAuth SSO via account.rose-ash.com

- config.py: OAuth settings replace l2_server/l2_domain - auth.py: full rewrite — login/callback/logout with itsdangerous signed state cookies and httpx token exchange - dependencies.py: remove l2_server assignment, fix redirect path - home.py: simplify /login to redirect to /auth/login - base.html: cross-app nav (Blog, Market, Account) + Rose Ash branding - requirements.txt: add itsdangerous Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 23:26:17 +00:00
parent ca4e86d07e
commit 49097eef53
6 changed files with 136 additions and 133 deletions
--- a/app/config.py
+++ b/app/config.py
@@ -44,12 +44,24 @@ class Settings:
        default_factory=lambda: os.environ.get("IPFS_GATEWAY_URL", "https://ipfs.io/ipfs")
    )

-    # L2 Server
-    l2_server: Optional[str] = field(
-        default_factory=lambda: os.environ.get("L2_SERVER")
+    # OAuth SSO (replaces L2 auth)
+    oauth_authorize_url: str = field(
+        default_factory=lambda: os.environ.get("OAUTH_AUTHORIZE_URL", "https://account.rose-ash.com/auth/oauth/authorize")
    )
-    l2_domain: Optional[str] = field(
-        default_factory=lambda: os.environ.get("L2_DOMAIN")
+    oauth_token_url: str = field(
+        default_factory=lambda: os.environ.get("OAUTH_TOKEN_URL", "https://account.rose-ash.com/auth/oauth/token")
+    )
+    oauth_client_id: str = field(
+        default_factory=lambda: os.environ.get("OAUTH_CLIENT_ID", "artdag")
+    )
+    oauth_redirect_uri: str = field(
+        default_factory=lambda: os.environ.get("OAUTH_REDIRECT_URI", "https://celery-artdag.rose-ash.com/auth/callback")
+    )
+    oauth_logout_url: str = field(
+        default_factory=lambda: os.environ.get("OAUTH_LOGOUT_URL", "https://account.rose-ash.com/auth/sso-logout/")
+    )
+    secret_key: str = field(
+        default_factory=lambda: os.environ.get("SECRET_KEY", "change-me-in-production")
    )

    # GPU/Streaming settings
@@ -91,7 +103,8 @@ class Settings:
        output(f"  ipfs_gateway_url:     {self.ipfs_gateway_url}")
        output(f"  ipfs_gateways:        {self.ipfs_gateways[:50]}...")
        output(f"  streaming_gpu_persist: {self.streaming_gpu_persist}")
-        output(f"  l2_server:            {self.l2_server}")
+        output(f"  oauth_client_id:      {self.oauth_client_id}")
+        output(f"  oauth_authorize_url:  {self.oauth_authorize_url}")
        output("=" * 60)