6j6.dZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl m Z m Z ejeZdZdefdZehdZdZe d z Zdeeeffd Zd eeefddfd ZeZe d z ZdZdZ deee!effdZ"deee!efddfdZ#e"Z$dede%fdZ&deddfdZ'dZ(dZ)dedzfdZ*de%fdZ+de%fdZ,defdZ-dZ.de%fdZ/d#dZ0dedzfdZ1de%fd Z2d#d!Z3d#d"Z4dS)$z Hermes Web UI -- Optional password authentication. Off by default. Enable by setting HERMES_WEBUI_PASSWORD env var or configuring a password in the Settings panel. N) STATE_DIR load_settingsi'returnc\tjdd}|r!t |}d|cxkrdkrnn|St }|d}t|trd|cxkrdkrnn|StS)aResolve session TTL from env > settings > default. Priority mirrors get_password_hash(): HERMES_WEBUI_SESSION_TTL env var first, then settings.json, falling back to ``SESSION_TTL`` (30 days). Clamped to [60s, 1 year] to prevent runaway cookies or self-lockout. HERMES_WEBUI_SESSION_TTL<i3session_ttl_seconds) osgetenvstripisdigitintrget isinstance SESSION_TTL)env_vvalsvs /root/hermes-webui/api/auth.py_resolve_session_ttlrs I0" 5 5 ; ; = =E }}%jj  # # # # # # # # #JA #$$A!SbA444444444 >/login/sw.js/health /favicon.ico/manifest.json/api/auth/login/api/auth/status/manifest.webmanifesthermes_sessionz.sessions.jsonc trtjtd}t |t stdtjfd| DSn2#t$r%}t d|Yd}~nd}~wwxYwiS)zLoad persisted sessions from STATE_DIR, pruning expired entries. Returns an empty dict on any read or parse error so startup is never blocked by a corrupt or missing sessions file. utf-8encodingu)malformed sessions file — expected dictci|]?\}}t|tr%t|ttfr |k<||@S)rstrrfloat.0texpnows r z"_load_sessions..Gsa[[[vq#!!S))[.8sEl.K.K[PSVYPYPYsPYPYPYrz0Failed to load sessions file, starting fresh: %sN) _SESSIONS_FILEexistsjsonloads read_textrdict ValueErrortimeitems Exceptionloggerdebug)dataer/s @r_load_sessionsr?;s L  " " [:n666HHIIDdD)) N !LMMM)++C[[[[[[[ [  [ LLL GKKKKKKKKL IsBB!! C+C  Csessionsc( tjddtjtd\}} t j|dd5}t j||dddn #1swxYwYt j|d t j |tdS#t$r( t j |n#t$rYnwxYwwxYw#t$r&}td |Yd}~dSd}~wwxYw) zAtomically persist sessions to STATE_DIR/.sessions.json (0600). Uses a temp file + os.replace() so a crash mid-write never leaves a truncated file. Mirrors the same pattern as .signing_key persistence. Tparentsexist_okz .sessions.tmpdirsuffixwr$r%NzFailed to persist sessions: %s)rmkdirtempfilemkstempr fdopenr3dumpchmodreplacer1r:unlinkOSErrorr;r<)r@fdtmpfr>s r_save_sessionsrVNsy :t4444"yIIIC 2sW555 ' (A&&& ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' HS% JsN + + + + +     #        ::: 5q999999999:sp4C!B,A0$ B,0A44B,7A482B,, C7C  C CCCCC!! D+D  Dz.login_attempts.jsonr c& trtjtd}t |t stdtji}| D]E\}}t |trt |ts0fd|D}|r|||<F|Sn2#t$r%}td|Yd}~nd}~wwxYwiS)zFLoad persisted login attempts from STATE_DIR, pruning expired entries.r$r%u/malformed login-attempts file — expected dictcg|]H}t|ttfr*t|z tk9t|ISr()rrr* _LOGIN_WINDOWr,r-r/s r z(_load_login_attempts..{sV!!c5\228;U1XX~ 7U7U!HH7U7U7Urz6Failed to load login attempts file, starting fresh: %sN)_LOGIN_ATTEMPTS_FILEr2r3r4r5rr6r7r8r9r)listr:r;r<)r=attemptsip raw_timesfreshr>r/s @r_load_login_attemptsrcosER  & & ( ( :2<s r_save_login_attemptsrfs@#))$)FFF"';'BK`aaaC 2sW555 ' (A&&& ' ' ' ' ' ' ' ' ' ' ' ' ' ' ' HS% Js0 1 1 1 1 1     #        @@@ ;Q?????????@srAC1B<B4 B<BB<B2B<< C.CC. C)&C.(C))C..C11 D!;DD!r`c$tjt|g}fd|D}|r |t|<nt|dt tt |t kS)z2Return True if the IP is allowed to attempt login.c0g|]}|z tk|Sr()rZr[s rr\z%_check_login_rate..s'???asQw'>'>'>'>'>rN)r8_login_attemptsrpoprflen_LOGIN_MAX_ATTEMPTS)r`r_r/s @r_check_login_raterms )++C""2r**H????8???H&&B%%%))) x==. ..rctj}t|g}|||t|<t tdS)N)r8rirappendrf)r`r/r_s r_record_login_attemptrpsR )++C""2r**H OOC"OB)))))rctdz } |r1|}t|dkr |ddSn*#t$rt dYnwxYwtjd} tj dd| || dn*#t$rt dYnwxYw|S) zIReturn a random signing key, generating and persisting one on first call.z .signing_key Nz>Failed to read or access signing key file, using in-memory keyTrBrIz7Failed to persist signing key, using in-memory key only) rr2 read_bytesrkr:r;r<secrets token_bytesrJ write_bytesrO)key_filerawkeys r _signing_keyrzs>)HW ??   %%''C3xx2~~3B3x WWW UVVVVVW  b ! !CPt4444S!!!u PPP NOOOOOP Js%AA$A98A9AC$C98C9ct}tjd||d}|S)aSPBKDF2-SHA256 with 600k iterations (OWASP recommendation). Salt is the persisted random signing key, which is secret and unique per installation. This keeps the stored hash format a plain hex string (no format change to settings.json) while replacing the predictable STATE_DIR-derived salt from the original implementation.sha256i' )rzhashlib pbkdf2_hmacencodehex)passwordsaltdks r_hash_passwordrs: >>D  Xx'8'8$ H HB 6688Orctjdd}|rt|St }|dpdS)zdReturn the active password hash, or None if auth is disabled. Priority: env var > settings.json.HERMES_WEBUI_PASSWORDr password_hashN)r r r rrr)env_pwsettingss rget_password_hashrsXY. 3 3 9 9 ; ;F &f%%%H << ( ( 0D0rc"tduS)z7True if a password is configured (env var or settings).N)rr(rris_auth_enabledrs   d **rcjt}|sdStjt||S)z4Verify a plaintext password against the stored hash.F)rhmaccompare_digestr)plainexpecteds rverify_passwordrs5 ""H u  ~e44h ? ??rcdtjd}tjtzt|<t tt jt| tj  dd}|d|S)z7Create a new auth session. Returns signed cookie value.rrN.) rt token_hexr8r _sessionsrVrnewrzrr}r| hexdigest)tokensigs rcreate_sessionrs  b ! !Ey{{%9%;%;;Ie9 (<>>5<<>>7> B B L L N NsPRs SC  c  rctjfdtD}|r6|D]}t|dt tdSdS)zFRemove all expired session entries to prevent unbounded memory growth.c&g|] \}}|k |Sr(r(r+s rr\z+_prune_expired_sessions..s">>>VQC#IIqIIIrN)r8rr9rjrV)expiredrr/s @r_prune_expired_sessionsrs} )++C>>>>y00>>>G" ' 'E MM% & & & &y!!!!!""rc|rd|vrdSt|dd\}}tjt |t jdd}tj ||sdSt |}|rtj |krt |ddSdS)zFVerify a signed session cookie. Returns True if valid and not expired.rFNrrT)rrsplitrrrzrr}r|rrrrr8rj) cookie_valuerr expected_sigexpirys rverify_sessionrs 3l22u$$S!,,JE38LNNELLNNGNKKUUWWX[Y[X[\L  sL 1 1u ]]5 ! !F TY[[6)) eT"""u 4rc|rZd|vrX|ddd}|tvr5t|dttdSdSdSdS)zRemove a session token.rrrN)rrrjrV)rrs rinvalidate_sessionrsw&|++##C++A. I   MM% & & & 9 % % % % % &&++  rc*|jdd}|sdStj} ||n#tjj$rYdSwxYw|t}|r|jndS)z1Extract the auth cookie from the request headers.CookierN) headersrhttpcookies SimpleCookieload CookieError COOKIE_NAMEvalue)handler cookie_headercookiemorsels r parse_cookiersO''"55M t \ & & ( (F M"""" < #tt ZZ $ $F! +6<??? BCCCCc"""( )(((((!;-# < 3 fl 2 2  0s;;J (=>>> 5rctj}||t<d|td<d|td<d|td<t t |td<t |jdd |j d d d krd|td <| d|t d S)z$Set the auth cookie on the response.ThttponlyLaxsamesiterrmax-age getpeercertNzX-Forwarded-Protorhttpssecure Set-Cookie) rrrrr)rgetattrrequestrrr OutputString)rrrs rset_auth_cookierYs \ & & ( (F&F;&*F; #&+F; #"%F;%()=)?)?%@%@F; "w t44@GODWDWXkmoDpDpt{D{D{(,{H%  f[&9&F&F&H&HIIIIIrctj}d|t<d|td<d|td<d|td<|d|td S) z&Clear the auth cookie on the response.rTrrr0rrN)rrrrrr)rrs rclear_auth_cookiergsy \ & & ( (FF;&*F; #"%F;%(F; "  f[&9&F&F&H&HIIIIIr)rN)5__doc__r}r http.cookiesrr3loggingr rtrKr8 api.configrr getLogger__name__r;rrr frozensetrrr1r6r)r*r?rVrr]rlrZr^rcrfriboolrmrprzrrrrrrrrrrrrr(rrrsW     ////////  8 $ $ c(y  --S%Z(&:T#u*-:$::::2 N   !#99 d3U #342@4T%[(8#9@d@@@@('&(( /# /$ / / / /*c*d*****13:1111+++++ @d@@@@""" D     &&&& ,S4Z , , , ,040000f J J J JJJJJJJr