Incorporate art-dag-mono repo into artdag/ subfolder

Merges full history from art-dag/mono.git into the monorepo under the artdag/ directory. Contains: core (DAG engine), l1 (Celery rendering server), l2 (ActivityPub registry), common (shared templates/middleware), client (CLI), test (e2e). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> git-subtree-dir: artdag git-subtree-mainline: 1a179de547 git-subtree-split: 4c2e716558
2026-02-27 09:07:23 +00:00
parent 1a179de547 4c2e716558
commit 1a74d811f7
485 changed files with 118451 additions and 0 deletions
--- a/artdag/l2/app/dependencies.py
+++ b/artdag/l2/app/dependencies.py
@@ -0,0 +1,106 @@
+"""
+L2 Server Dependency Injection.
+
+Provides common dependencies for routes.
+"""
+
+from typing import Optional
+
+from fastapi import Request, HTTPException, Depends
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+
+from .config import settings
+
+security = HTTPBearer(auto_error=False)
+
+
+def get_templates(request: Request):
+    """Get Jinja2 templates from app state."""
+    return request.app.state.templates
+
+
+async def _verify_opaque_grant(token: str) -> Optional[dict]:
+    """Verify an opaque grant token via account server."""
+    import httpx
+
+    if not settings.internal_account_url:
+        return None
+
+    verify_url = f"{settings.internal_account_url.rstrip('/')}/auth/internal/verify-grant"
+    try:
+        async with httpx.AsyncClient(timeout=5.0) as client:
+            resp = await client.get(verify_url, params={"token": token})
+        if resp.status_code != 200:
+            return None
+        data = resp.json()
+        if not data.get("valid"):
+            return None
+    except Exception:
+        return None
+
+    username = data.get("username", "")
+    return {
+        "username": username,
+        "actor_id": f"https://{settings.domain}/users/{username}",
+        "token": token,
+        "sub": username,
+    }
+
+
+async def get_current_user(request: Request) -> Optional[dict]:
+    """
+    Get current user from cookie or header.
+
+    Returns user dict or None if not authenticated.
+    """
+    from auth import verify_token, get_token_claims
+
+    # Try cookie first
+    token = request.cookies.get("auth_token")
+
+    # Try Authorization header
+    if not token:
+        auth_header = request.headers.get("Authorization", "")
+        if auth_header.startswith("Bearer "):
+            token = auth_header[7:]
+
+    if not token:
+        return None
+
+    # Verify JWT token
+    username = verify_token(token)
+    if username:
+        claims = get_token_claims(token)
+        if claims:
+            return {
+                "username": username,
+                "actor_id": f"https://{settings.domain}/users/{username}",
+                "token": token,
+                **claims,
+            }
+
+    # JWT failed — try as opaque grant token
+    return await _verify_opaque_grant(token)
+
+
+async def require_auth(request: Request) -> dict:
+    """
+    Require authentication.
+
+    Raises HTTPException 401 if not authenticated.
+    """
+    user = await get_current_user(request)
+    if not user:
+        raise HTTPException(401, "Authentication required")
+    return user
+
+
+def get_user_from_cookie(request: Request) -> Optional[str]:
+    """Get username from cookie (for HTML pages)."""
+    from auth import verify_token
+
+    token = request.cookies.get("auth_token")
+    if not token:
+        return None
+
+    return verify_token(token)