cobb/cauldron
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cauldron/cauldron/oidc.py
Kayos 213801ca70 v0.2 foundation — Authentik OIDC + sulkta-mariadb DB + Fernet crypto 
Adds the multi-user plumbing layer underneath v0.1's batch-only API:

- DB module (db.py) — PyMySQL against sulkta-mariadb, in-process migrations.
  Tables: cauldron_users, cauldron_user_mealie_tokens, cauldron_chat_log,
  schema_migrations.
- Crypto module (crypto.py) — thin Fernet wrapper. Master key in env,
  per-row encryption of stored Mealie tokens, decrypt only in-process.
- OIDC module (oidc.py) — Authlib-based Authentik integration. Issuer
  https://auth.sulkta.com/application/o/cauldron/, sub_mode=user_email,
  scopes openid+email+profile. App gated to 'Sulkta Family' group.
- Two-tier Mealie shape — system_mealie (env token, admin batch) +
  current_user_mealie() helper that loads + decrypts the calling user's
  token from DB. Per the v0.2 design (memory/spec-cauldron-v0.2.md).
- Connect flow — /connect-mealie pages walk users through minting their
  own Mealie API token and pasting it back. Validated against
  /api/users/self before encryption + storage.
- Routes — /, /login, /auth/callback, /logout, /me, /connect-mealie,
  /disconnect-mealie. v0.1 admin endpoints kept under bearer auth.
- Mealie.who_am_i() helper added.
- Auth flow uses Authentik subject (sub) as the canonical user key.

UI is minimal — connect-mealie page uses the locked palette
(forest #1f2d1f, panels #2d3a2a, meadow #6b8e5a/#88a87a, parchment text
#f0e6cc/#ddd4ba) and Cormorant Garamond serif headers. Strict palette.
The fuller dashboard / plan / list / recipes views land in subsequent
commits.

Authentik provider PK 24, client_id ZIwEugWWWZinR1KcVC9IT9hpGoTds9ps8XDDHPPN.
Group 'Sulkta Family' (pk 6d0c75e9-...) created with cobb member.

Foundation only — Abby's branded UI and the meal-plan / shopping-list
features land in subsequent v0.2 commits.
2026-04-28 19:47:47 -07:00

23 lines
840 B
Python
Raw Blame History

"""Authentik OIDC integration via Authlib.
Cauldron is gated to the Authentik 'Cauldron' application, which is bound
to the 'Sulkta Family' group. Authentik enforces the group membership; we
just trust the userinfo response.
We use 'sub_mode=user_email' on the Authentik provider, so the OIDC `sub`
claim is the user's email — stable, human-readable, and matches our
existing Sulkta SSO pattern.
"""
from authlib.integrations.flask_client import OAuth
def init_oauth(app, *, issuer: str, client_id: str, client_secret: str) -> OAuth:
oauth = OAuth(app)
oauth.register(
name="cauldron",
server_metadata_url=f"{issuer.rstrip('/')}/.well-known/openid-configuration",
client_id=client_id,
client_secret=client_secret,
client_kwargs={"scope": "openid email profile"},
)
return oauth
Reference in a new issue View git blame Copy permalink