feat(auth): wiki/activity access flags, SESSION_DOMAIN, wiki nav link

bincio/serve/server.py

@@ -10,6 +10,7 @@ from __future__ import annotations
 
 import json
 import logging
+import os
 import re
 import secrets
 import shutil
@@ -31,6 +32,8 @@ from fastapi.responses import JSONResponse
 from bincio.serve.db import (
     User,
     authenticate,
+    count_activity_users,
+    count_wiki_users,
     create_invite,
     create_session,
     count_users,
@@ -228,8 +231,9 @@ app.add_middleware(
 
 _VALID_HANDLE = re.compile(r'^[a-z0-9][a-z0-9_-]{0,29}$')
 from bincio.edit.ops import VALID_ACTIVITY_ID as _VALID_ACTIVITY_ID
-_SESSION_COOKIE = "bincio_session"
-_COOKIE_MAX_AGE = 30 * 86400  # 30 days
+_SESSION_COOKIE  = "bincio_session"
+_COOKIE_MAX_AGE  = 30 * 86400  # 30 days
+_SESSION_DOMAIN  = os.environ.get("SESSION_DOMAIN") or None  # e.g. ".bincio.org" in production
 
 
 def _check_id(activity_id: str) -> str:
@@ -302,7 +306,7 @@ def _require_auth(
 
 
 def _set_session_cookie(response: Response, token: str) -> None:
-    response.set_cookie(
+    kwargs: dict = dict(
         key=_SESSION_COOKIE,
         value=token,
         max_age=_COOKIE_MAX_AGE,
@@ -310,6 +314,9 @@ def _set_session_cookie(response: Response, token: str) -> None:
         samesite="lax",
         secure=False,  # nginx/caddy handles TLS termination
     )
+    if _SESSION_DOMAIN:
+        kwargs["domain"] = _SESSION_DOMAIN
+    response.set_cookie(**kwargs)
 
 
 # ── Image upload constants ────────────────────────────────────────────────────
@@ -432,12 +439,14 @@ def _trigger_rebuild(handle: str) -> None:
 async def me(bincio_session: Optional[str] = Cookie(default=None)) -> JSONResponse:
     user = _current_user(bincio_session)
     if not user:
-        raise HTTPException(404, "Not authenticated")
+        raise HTTPException(401, "Not authenticated")
     store_orig = get_setting(_get_db(), "store_originals")
     return JSONResponse({
         "handle": user.handle,
         "display_name": user.display_name,
         "is_admin": user.is_admin,
+        "wiki_access": user.wiki_access,
+        "activity_access": user.activity_access,
         "store_originals_default": store_orig != "false",
         "dem_configured": bool(dem_url),
     })
@@ -786,7 +795,13 @@ async def login(
         raise HTTPException(401, "Invalid credentials")
 
     token = create_session(_get_db(), handle)
-    resp = JSONResponse({"ok": True, "handle": user.handle, "display_name": user.display_name})
+    resp = JSONResponse({
+        "ok": True,
+        "handle": user.handle,
+        "display_name": user.display_name,
+        "wiki_access": user.wiki_access,
+        "activity_access": user.activity_access,
+    })
     _set_session_cookie(resp, token)
     return resp
 
@@ -796,7 +811,10 @@ async def logout(bincio_session: Optional[str] = Cookie(default=None)) -> JSONRe
     if bincio_session:
         delete_session(_get_db(), bincio_session)
     resp = JSONResponse({"ok": True})
-    resp.delete_cookie(_SESSION_COOKIE)
+    kwargs: dict = dict(key=_SESSION_COOKIE)
+    if _SESSION_DOMAIN:
+        kwargs["domain"] = _SESSION_DOMAIN
+    resp.delete_cookie(**kwargs)
     return resp
 
 
@@ -883,13 +901,22 @@ async def register(
     if get_user(_get_db(), handle):
         raise HTTPException(409, "Handle already taken")
 
-    max_users_val = get_setting(_get_db(), "max_users")
-    if max_users_val is not None:
-        limit = int(max_users_val)
-        if limit > 0 and count_users(_get_db()) >= limit:
-            raise HTTPException(403, f"This instance has reached its user limit ({limit})")
+    db = _get_db()
+    max_wiki_val = get_setting(db, "max_wiki_users") or get_setting(db, "max_users")
+    if max_wiki_val is not None:
+        limit = int(max_wiki_val)
+        if limit > 0 and count_wiki_users(db) >= limit:
+            raise HTTPException(403, f"This instance has reached its wiki user limit ({limit})")
 
-    create_user(_get_db(), handle, display, password, is_admin=False)
+    if invite.grants_activity:
+        max_act_val = get_setting(db, "max_activity_users")
+        if max_act_val is not None:
+            limit = int(max_act_val)
+            if limit > 0 and count_activity_users(db) >= limit:
+                raise HTTPException(403, f"This instance has reached its activity user limit ({limit})")
+
+    create_user(_get_db(), handle, display, password, is_admin=False,
+                wiki_access=True, activity_access=invite.grants_activity)
     use_invite(_get_db(), code, handle)
 
     # Create per-user directories
@@ -930,17 +957,25 @@ async def get_invites(bincio_session: Optional[str] = Cookie(default=None)) -> J
         "used_by": i.used_by,
         "created_at": i.created_at,
         "used_at": i.used_at,
+        "grants_activity": i.grants_activity,
     } for i in invites])
 
 
+class CreateInviteRequest(BaseModel):
+    grants_activity: bool = Field(default=False)
+
+
 @app.post("/api/invites")
-async def post_invite(bincio_session: Optional[str] = Cookie(default=None)) -> JSONResponse:
+async def post_invite(
+    body: CreateInviteRequest = CreateInviteRequest(),
+    bincio_session: Optional[str] = Cookie(default=None),
+) -> JSONResponse:
     user = _require_user(bincio_session)
     try:
-        code = create_invite(_get_db(), user.handle)
+        code = create_invite(_get_db(), user.handle, grants_activity=body.grants_activity)
     except ValueError as e:
         raise HTTPException(400, str(e))
-    return JSONResponse({"ok": True, "code": code})
+    return JSONResponse({"ok": True, "code": code, "grants_activity": body.grants_activity})
 
 
 # ── Admin ─────────────────────────────────────────────────────────────────────