feat: Implement external generation import API secured by HMAC-SHA256 signature verification.

2026-02-10 14:06:37 +03:00
parent 00e83b8561
commit a7c2319f13
9 changed files with 313 additions and 15 deletions
--- a/api/endpoints/generation_router.py
+++ b/api/endpoints/generation_router.py
@@ -1,6 +1,6 @@
 from typing import List, Optional

-from fastapi import APIRouter, UploadFile, File, Form
+from fastapi import APIRouter, UploadFile, File, Form, Header, HTTPException
 from fastapi.params import Depends
 from starlette.requests import Request

@@ -20,13 +20,14 @@ logger = logging.getLogger(__name__)

 from api.endpoints.auth import get_current_user

-router = APIRouter(prefix='/api/generations', tags=["Generation"], dependencies=[Depends(get_current_user)])
+router = APIRouter(prefix='/api/generations', tags=["Generation"])


@router.post("/prompt-assistant", response_model=PromptResponse)
 async def ask_prompt_assistant(prompt_request: PromptRequest, request: Request,
                               generation_service: GenerationService = Depends(
-                                   get_generation_service)) -> PromptResponse:
+                                   get_generation_service),
+                               current_user: dict = Depends(get_current_user)) -> PromptResponse:
    logger.info(f"ask_prompt_assistant called with prompt length: {len(prompt_request.prompt)}. Linked assets: {len(prompt_request.linked_assets) if prompt_request.linked_assets else 0}")
    generated_prompt = await generation_service.ask_prompt_assistant(prompt_request.prompt, prompt_request.linked_assets)
    return PromptResponse(prompt=generated_prompt)
@@ -36,7 +37,8 @@ async def ask_prompt_assistant(prompt_request: PromptRequest, request: Request,
 async def prompt_from_image(
        prompt: Optional[str] = Form(None),
        images: List[UploadFile] = File(...),
-        generation_service: GenerationService = Depends(get_generation_service)
+        generation_service: GenerationService = Depends(get_generation_service),
+        current_user: dict = Depends(get_current_user)
 ) -> PromptResponse:
    logger.info(f"prompt_from_image called. Images count: {len(images)}. Prompt provided: {bool(prompt)}")
    images_bytes = []
@@ -111,8 +113,59 @@ async def get_running_generations(request: Request,
    return await generation_service.get_running_generations(user_id=user_id_filter, project_id=project_id)


-@router.delete("/{generation_id}", status_code=status.HTTP_204_NO_CONTENT, dependencies=[Depends(get_current_user)])
-async def delete_generation(generation_id: str, generation_service: GenerationService = Depends(get_generation_service)):
+
+
+@router.post("/import", response_model=GenerationResponse)
+async def import_external_generation(
+    request: Request,
+    generation_service: GenerationService = Depends(get_generation_service),
+    x_signature: str = Header(..., alias="X-Signature")
+) -> GenerationResponse:
+    """
+    Import a generation from an external source.
+    Requires server-to-server authentication via HMAC signature.
+    """
+    import os
+    from utils.external_auth import verify_signature
+    from api.models.ExternalGenerationDTO import ExternalGenerationRequest
+    
+    logger.info("import_external_generation called")
+    
+    # Get raw request body for signature verification
+    body = await request.body()
+    
+    # Verify signature
+    secret = os.getenv("EXTERNAL_API_SECRET")
+    if not secret:
+        logger.error("EXTERNAL_API_SECRET not configured")
+        raise HTTPException(status_code=500, detail="Server configuration error")
+    
+    if not verify_signature(body, x_signature, secret):
+        logger.warning("Invalid signature for external generation import")
+        raise HTTPException(status_code=401, detail="Invalid signature")
+    
+    # Parse request body
+    import json
+    try:
+        data = json.loads(body.decode('utf-8'))
+        external_gen = ExternalGenerationRequest(**data)
+    except Exception as e:
+        logger.error(f"Failed to parse request body: {e}")
+        raise HTTPException(status_code=400, detail=f"Invalid request body: {str(e)}")
+    
+    # Import generation
+    try:
+        generation = await generation_service.import_external_generation(external_gen)
+        return GenerationResponse(**generation.model_dump())
+    except Exception as e:
+        logger.error(f"Failed to import external generation: {e}")
+        raise HTTPException(status_code=500, detail=f"Import failed: {str(e)}")
+
+
+@router.delete("/{generation_id}", status_code=status.HTTP_204_NO_CONTENT)
+async def delete_generation(generation_id: str, 
+                           generation_service: GenerationService = Depends(get_generation_service),
+                           current_user: dict = Depends(get_current_user)):
    logger.info(f"delete_generation called for ID: {generation_id}")
    deleted = await generation_service.delete_generation(generation_id)
    if not deleted: