Add Authentik OIDC login

Same Authlib-based pattern as v1: SessionMiddleware + core/auth.py
(login/callback/logout + require_login dependency), gating "/",
/asr/* and /tts/* behind Authentik (application slug "asr-v2",
provider pk 14). The websocket route can't use a FastAPI dependency
(no Request in its scope) so it's split into its own router and
checks websocket.session manually before accept().

v2 has no public domain yet, so the redirect_uri points at the
internal 172.30.1.41:18101 address over plain http — hence
https_only=False on the session cookie. Client id/secret and the
session secret live in /srv/asr/env/asr.env under ASR_V2_-prefixed
names (that env file is shared with v1, which already owns the
unprefixed OIDC_* names).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
du5t
2026-06-18 13:44:20 +09:00
parent cabbdac39b
commit 6b9a9cce8f
6 changed files with 99 additions and 7 deletions

View File

@@ -8,6 +8,8 @@ body {
.wrap { max-width: 1100px; margin: 0 auto; padding: 24px; }
.page-header { margin-bottom: 8px; }
.page-header h1 { margin: 0 0 4px; }
.header-row { display: flex; align-items: center; justify-content: space-between; gap: 12px; }
.logout-link { text-decoration: none; flex-shrink: 0; display: inline-block; }
.muted { color: #aab3cf; margin: 0; }
.small { font-size: 0.87em; }
.mono { font-family: monospace; }

View File

@@ -9,8 +9,13 @@
<body>
<main class="wrap">
<header class="page-header">
<h1>ASR · TTS 콘솔</h1>
<p class="muted">음성 인식(ASR)과 음성 합성(TTS)을 한 곳에서</p>
<div class="header-row">
<div>
<h1>ASR · TTS 콘솔</h1>
<p class="muted">음성 인식(ASR)과 음성 합성(TTS)을 한 곳에서</p>
</div>
<a href="/auth/logout" class="btn-secondary logout-link" title="로그아웃">로그아웃</a>
</div>
</header>
<div class="tab-group tab-group--top">