Add Authentik OIDC login
Same Authlib-based pattern as v1: SessionMiddleware + core/auth.py (login/callback/logout + require_login dependency), gating "/", /asr/* and /tts/* behind Authentik (application slug "asr-v2", provider pk 14). The websocket route can't use a FastAPI dependency (no Request in its scope) so it's split into its own router and checks websocket.session manually before accept(). v2 has no public domain yet, so the redirect_uri points at the internal 172.30.1.41:18101 address over plain http — hence https_only=False on the session cookie. Client id/secret and the session secret live in /srv/asr/env/asr.env under ASR_V2_-prefixed names (that env file is shared with v1, which already owns the unprefixed OIDC_* names). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -24,6 +24,7 @@ from asr.config import (
|
||||
)
|
||||
|
||||
router = APIRouter()
|
||||
ws_router = APIRouter()
|
||||
|
||||
BACKENDS = {
|
||||
"faster-whisper": FASTER_WHISPER_URL,
|
||||
@@ -267,8 +268,11 @@ async def _send_chunk(wav_bytes: bytes, *, model: str, language: str, beam_size:
|
||||
return resp.json()
|
||||
|
||||
|
||||
@router.websocket("/ws/realtime")
|
||||
@ws_router.websocket("/ws/realtime")
|
||||
async def realtime_ws(websocket: WebSocket) -> None:
|
||||
if not websocket.session.get("user"):
|
||||
await websocket.close(code=4401)
|
||||
return
|
||||
await websocket.accept()
|
||||
|
||||
audio_buf = bytearray()
|
||||
|
||||
Reference in New Issue
Block a user