backend/app/api/setup.py

"""Bootstrap endpoint — consumes the install token to create the first admin."""

from __future__ import annotations

import logging

from flask import Blueprint, jsonify, make_response, request
from pydantic import BaseModel, Field, ValidationError

from app.api._validation import Email
from sqlalchemy import select

from app.core.rate_limit import limiter
from app.db.session import session_scope
from app.models.auth import User
from app.services.bootstrap import (
    BootstrapError,
    bootstrap_admin,
    ensure_system_groups,
)

bp = Blueprint("setup", __name__, url_prefix="/setup")
log = logging.getLogger("metamorph.api.setup")


class SetupPayload(BaseModel):
    install_token: str = Field(min_length=20)
    email: Email
    password: str = Field(min_length=8)
    display_name: str | None = None


@bp.get("")
def setup_status():
    """Tell the SPA whether the bootstrap has already been done.

    Used by the front to redirect to /setup vs /login on first paint.
    """
    with session_scope() as s:
        any_user = s.scalar(select(User.id).limit(1)) is not None
    return jsonify({"completed": any_user})


@bp.post("")
@limiter.limit("5 per minute")
def setup():
    try:
        payload = SetupPayload.model_validate(request.get_json(silent=True) or {})
    except ValidationError as e:
        return jsonify({"error": "invalid_request", "details": e.errors()}), 400

    try:
        result = bootstrap_admin(
            install_token=payload.install_token,
            email=payload.email,
            password=payload.password,
            display_name=payload.display_name,
        )
    except BootstrapError as e:
        return jsonify({"error": "bootstrap_failed", "message": str(e)}), 409
    except ValueError as e:
        return jsonify({"error": "invalid_request", "message": str(e)}), 400

    log.warning(
        "metamorph.bootstrap.completed",
        extra={"user_id": str(result.user_id), "admin_group_id": str(result.admin_group_id)},
    )
    # Make sure the redteam/blueteam groups exist too (idempotent).
    ensure_system_groups()

    return make_response(
        jsonify(
            {
                "ok": True,
                "user_id": str(result.user_id),
            }
        ),
        201,
    )
feat(m2): auth, JWT, invitations, bootstrap, RTOps SPA pages Crypto + tokens - app/core/security.py: Argon2id PasswordHasher (time_cost=2, memory_cost= 64 MiB, parallelism=2) + opaque-token SHA-256 helpers (raw token shown once, only the hash lives in the DB). - app/core/jwt_tokens.py: HS256, claims iss/sub/type/jti/iat/exp. Access 1h, refresh 30d. Services - services/auth.py: login, refresh with token rotation + reuse-detection chain revoke, logout (idempotent), change_password (forces logout-all). - services/invitations.py: create, preview, accept, revoke. Default 7d TTL. - services/bootstrap.py: seeds the 3 system groups (admin/redteam/blueteam), consumes the install token, attaches the first user to admin. - core/install_token.py: mints, persists in settings, marks consumed, regenerate hook for /diag/reset. API - POST /setup (consume install token, create 1st admin) + GET /setup (status). - POST /auth/{login,refresh,logout,change-password} + GET /auth/me. - POST /invitations + GET /invitations + GET /invitations/preview/<token> + POST /invitations/accept/<token> + POST /invitations/<id>/revoke. - POST /diag/reset: test-only kill switch (truncate auth tables + mint fresh install token). Allowed in dev too (with WARNING log) so the e2e suite can run against a make-up stack; production locked out. Middleware - @require_auth populates g.current_user (snapshot dataclass, session closed before request handler runs). - @require_perm(*codes): atomic perm union check; admin group bypasses. Perm catalogue lands in M3, scaffolding here. - flask-limiter: 10/min/IP on /auth/login & /auth/refresh, 5/min on /auth/change-password & /setup, 10–20/min on invitation endpoints. Disabled in APP_ENV=test. CLI - flask --app app.cli metamorph print-install-token [--force] - flask --app app.cli metamorph seed-mitre (M4 placeholder) Refresh cookie metamorph_refresh: HttpOnly + Secure (localhost is a secure context for modern browsers) + SameSite=Strict + Path=/api/v1/auth/. Email validation: app.api._validation.Email permissive RFC-shape regex so internal TLDs (.local/.corp/.test) are accepted — pydantic.EmailStr's deliverability check is too strict for red-team labs. Frontend - lib/{api,auth}.ts: access token in module memory, refresh cookie, automatic 401-retry via /auth/refresh, useAuth() hook. - components/{Layout,RequireAuth}.tsx + ui/{TextField,Alert}.tsx. - pages/{Login,Setup,Register,Profile}. Testing - tests/test_auth_flow.py: 15 integration tests (24 backend total). - e2e/tests/m2-auth.spec.ts: 8 Playwright tests (20 e2e total). - tasks/testing-m2.md. DoD: make test-api → 24 passed, make e2e → 20 passed; spec-reviewer pass applied (Secure unconditional, refresh limit 10/min/IP). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-11 06:16:48 +02:00			`"""Bootstrap endpoint — consumes the install token to create the first admin."""`

			`from __future__ import annotations`

			`import logging`

			`from flask import Blueprint, jsonify, make_response, request`
			`from pydantic import BaseModel, Field, ValidationError`

			`from app.api._validation import Email`
			`from sqlalchemy import select`

			`from app.core.rate_limit import limiter`
			`from app.db.session import session_scope`
			`from app.models.auth import User`
			`from app.services.bootstrap import (`
			`BootstrapError,`
			`bootstrap_admin,`
			`ensure_system_groups,`
			`)`

			`bp = Blueprint("setup", __name__, url_prefix="/setup")`
			`log = logging.getLogger("metamorph.api.setup")`


			`class SetupPayload(BaseModel):`
			`install_token: str = Field(min_length=20)`
			`email: Email`
			`password: str = Field(min_length=8)`
			`display_name: str \| None = None`


			`@bp.get("")`
			`def setup_status():`
			`"""Tell the SPA whether the bootstrap has already been done.`

			`Used by the front to redirect to /setup vs /login on first paint.`
			`"""`
			`with session_scope() as s:`
			`any_user = s.scalar(select(User.id).limit(1)) is not None`
			`return jsonify({"completed": any_user})`


			`@bp.post("")`
			`@limiter.limit("5 per minute")`
			`def setup():`
			`try:`
			`payload = SetupPayload.model_validate(request.get_json(silent=True) or {})`
			`except ValidationError as e:`
			`return jsonify({"error": "invalid_request", "details": e.errors()}), 400`

			`try:`
			`result = bootstrap_admin(`
			`install_token=payload.install_token,`
			`email=payload.email,`
			`password=payload.password,`
			`display_name=payload.display_name,`
			`)`
			`except BootstrapError as e:`
			`return jsonify({"error": "bootstrap_failed", "message": str(e)}), 409`
			`except ValueError as e:`
			`return jsonify({"error": "invalid_request", "message": str(e)}), 400`

			`log.warning(`
			`"metamorph.bootstrap.completed",`
			`extra={"user_id": str(result.user_id), "admin_group_id": str(result.admin_group_id)},`
			`)`
			`# Make sure the redteam/blueteam groups exist too (idempotent).`
			`ensure_system_groups()`

			`return make_response(`
			`jsonify(`
			`{`
			`"ok": True,`
			`"user_id": str(result.user_id),`
			`}`
			`),`
			`201,`
			`)`