Deprecate configured node_username/node_password and annotate `di…

…sable_auth` config Use `disable_auth` config to skip MQ Users service connection
NeonGeckoCom · Nov 5, 2024 · a36c85d · a36c85d
1 parent e38af4c
commit a36c85d
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -25,12 +25,10 @@ hana:
   jwt_issuer: neon.ai  # Used in the `iss` field of generated JWT tokens.
   fastapi_title: "My HANA API Host"
   fastapi_summary: "Personal HTTP API to access my DIANA backend."
-  disable_auth: True
+  disable_auth: True  # If true, no authentication will be attempted; all connections will be allowed
   stt_max_length_encoded: 500000  # Arbitrary limit that is larger than any expected voice command
   tts_max_words: 128  # Arbitrary limit that is longer than any default LLM token limit
   enable_email: True  # Disabled by default; anyone with access to the API will be able to send emails from the configured address
-  node_username: node_user  # Username to authenticate Node API access; leave empty to disable Node API access
-  node_password: node_password  # Password associated with node_username
   max_streaming_clients: -1  # Maximum audio streaming clients allowed (including 0). Default unset value allows infinite clients
 ```
 It is recommended to generate unique values for configured tokens, these are 32

diff --git a/neon_hana/auth/client_manager.py b/neon_hana/auth/client_manager.py
@@ -70,13 +70,13 @@ def __init__(self, config: dict,
         self._rpm = config.get("requests_per_minute", 60)
         self._auth_rpm = config.get("auth_requests_per_minute", 6)
         self._disable_auth = config.get("disable_auth")
-        self._node_username = config.get("node_username")
-        self._node_password = config.get("node_password")
         self._max_streaming_clients = config.get("max_streaming_clients")
         self._jwt_algo = "HS256"
         self._connected_streams = 0
         self._stream_check_lock = Lock()
-        self._mq_connector = mq_connector
+        # If authentication is explicitly disabled, don't try to query the
+        # users service
+        self._mq_connector = None if self._disable_auth else mq_connector
 
     @property
     def authorized_clients(self) -> Dict[str, AuthenticationResponse]:
@@ -205,11 +205,15 @@ def check_auth_request(self, client_id: str, username: str,
                                        f"{origin_ip}. Wait {wait_time}s.")
 
         if self._mq_connector is None:
-            user = User(username=username, password_hash=password)
-        elif all((self._node_username, username == self._node_username,
-                  password == self._node_password)):
-            user = User(username=username, password_hash=password)
-            user.permissions.node = AccessRoles.USER
+            # Auth is disabled; every auth request gets a successful response
+            user = User(username=username, password_hash=password,
+                        permissions=_DEFAULT_USER_PERMISSIONS)
+        # elif all((self._node_username, username == self._node_username,
+        #           password == self._node_password)):
+        #     # User matches configured node username/password
+        #     user = User(username=username, password_hash=password,
+        #                 permissions=_DEFAULT_USER_PERMISSIONS)
+        #     user.permissions.node = AccessRoles.USER
         else:
             user = self._mq_connector.get_user_profile(username, password)