95bd32bd71
Move Ghost membership sync from blog to account service so blog no longer queries account tables (users, ghost_labels, etc.). Account runs membership sync at startup and exposes HTTP action/data endpoints for webhook-triggered syncs and user lookups. Key changes: - account/services/ghost_membership.py: all membership sync functions - account/bp/actions + data: ghost-sync-member, user-by-email, newsletters - blog ghost_sync.py: stripped to content-only (posts, authors, tags) - blog webhook member: delegates to account via call_action() - try_publish: opens federation session when DBs differ - oauth.py callback: uses get_account_session() for OAuthCode - page_configs moved from db_events to db_blog in split script Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
47 lines
1017 B
Python
47 lines
1017 B
Python
import os
|
|
import time
|
|
import jwt # PyJWT
|
|
from typing import Tuple
|
|
|
|
|
|
def _split_key(raw_key: str) -> Tuple[str, bytes]:
|
|
"""
|
|
raw_key is the 'id:secret' from Ghost.
|
|
Returns (id, secret_bytes)
|
|
"""
|
|
key_id, key_secret_hex = raw_key.split(':', 1)
|
|
secret_bytes = bytes.fromhex(key_secret_hex)
|
|
return key_id, secret_bytes
|
|
|
|
|
|
def make_ghost_admin_jwt() -> str:
|
|
"""
|
|
Generate a short-lived JWT suitable for Authorization: Ghost <token>
|
|
"""
|
|
raw_key = os.environ["GHOST_ADMIN_API_KEY"]
|
|
key_id, secret_bytes = _split_key(raw_key)
|
|
|
|
now = int(time.time())
|
|
|
|
payload = {
|
|
"iat": now,
|
|
"exp": now + 5 * 60, # now + 5 minutes
|
|
"aud": "/admin/",
|
|
}
|
|
|
|
headers = {
|
|
"alg": "HS256",
|
|
"kid": key_id,
|
|
"typ": "JWT",
|
|
}
|
|
|
|
token = jwt.encode(
|
|
payload,
|
|
secret_bytes,
|
|
algorithm="HS256",
|
|
headers=headers,
|
|
)
|
|
|
|
# PyJWT returns str in recent versions; Ghost expects bare token string
|
|
return token
|