From 401bea892704de599657d67d5509a6f05e3ceb91 Mon Sep 17 00:00:00 2001 From: dario Date: Mon, 18 May 2026 20:32:12 +0200 Subject: [PATCH 01/25] app: add cat language --- app/src/i18n/ui.ts | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/app/src/i18n/ui.ts b/app/src/i18n/ui.ts index 3398564..9947211 100644 --- a/app/src/i18n/ui.ts +++ b/app/src/i18n/ui.ts @@ -96,4 +96,31 @@ export const ui = { "chat.dooris": "dOwOris", "chat.user": "my fren :3", }, -} as const \ No newline at end of file + meow: { + "dooris": "meoowris 🐈️ (DOORIS)", + "unauthorized.title": "rawwwwr" πŸ˜Ύβ›”οΈ", + "unauthorized.description": `meow mreoow: 🌐 meow`, + "unauthenticated.title": "meow? 🫴🐈️", + "unauthenticated.description": `meow mreoow: 🌐 meow`, + "state.unlocked": "mrrp πŸ±πŸ”“οΈ", + "state.locked": "mreoww πŸ±πŸ”’οΈ", + "state.unknown": "meoooow????? πŸ™€", + "state.unlocking": "meeeow πŸ˜ΊπŸ”πŸ”“οΈ", + "state.locking": "mreowww πŸ˜ΏπŸ”πŸ”’οΈ", + "lock.batteryLow": "mrrrrrp flop πŸͺ«", + "lock.unreachable": "meooww?? πŸ™€πŸš«β“οΈπŸšͺ", + "lock.jammed": "mew πŸšͺπŸ”πŸš«", + "button.open": "🐈️ πŸ‘‰πŸ‘ˆπŸ”“οΈ", + "button.close": "🐈️ πŸ”’οΈ", + "login": "meow? 🫴🐈️", + "loggedOut.title": "mew mew 😿", + "loggedOut.description": `meow πŸ±βŒ›οΈ`, + "serverError.title": "πŸ–₯️⛓️‍πŸ’₯", + "serverError.description": `mew mew ⌚️`, + "networkError.title": "meww πŸ›œπŸš«", + "networkError.description": `πŸ›œπŸ˜Ί`, + "loadingDoors": 'πŸ”', + "chat.dooris": "meoowris", + "chat.user": "😻", + }, +} as const From d46d8667059d05e2dacdc0e55cc93553747fba5c Mon Sep 17 00:00:00 2001 From: dario Date: Mon, 18 May 2026 20:38:37 +0200 Subject: [PATCH 02/25] app: fix syntax error in cat language --- app/src/i18n/ui.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/src/i18n/ui.ts b/app/src/i18n/ui.ts index 9947211..fc03078 100644 --- a/app/src/i18n/ui.ts +++ b/app/src/i18n/ui.ts @@ -98,7 +98,7 @@ export const ui = { }, meow: { "dooris": "meoowris 🐈️ (DOORIS)", - "unauthorized.title": "rawwwwr" πŸ˜Ύβ›”οΈ", + "unauthorized.title": "rawwwwr πŸ˜Ύβ›”οΈ", "unauthorized.description": `meow mreoow: 🌐 meow`, "unauthenticated.title": "meow? 🫴🐈️", "unauthenticated.description": `meow mreoow: 🌐 meow`, From 1a50d67df68e62b3b018aeddd4980a4dc839137b Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 19 May 2026 09:34:51 +0200 Subject: [PATCH 03/25] api: implement abstraction for connecting to CCUJACK MQTT broker --- api/pyproject.toml | 1 + api/src/dooris_api/mqtt_client.py | 92 +++++++++++++++++++++++++++++++ api/uv.lock | 11 ++++ 3 files changed, 104 insertions(+) create mode 100644 api/src/dooris_api/mqtt_client.py diff --git a/api/pyproject.toml b/api/pyproject.toml index 1b0cc5f..4e42dd1 100644 --- a/api/pyproject.toml +++ b/api/pyproject.toml @@ -6,6 +6,7 @@ requires-python = ">=3.12" dependencies = [ "aiohttp>=3.13.5", "fastapi>=0.136.1", + "paho-mqtt>=2.1.0", "simple-openid-connect>=2.4.0", "uvicorn>=0.46.0", ] diff --git a/api/src/dooris_api/mqtt_client.py b/api/src/dooris_api/mqtt_client.py new file mode 100644 index 0000000..f7cb22b --- /dev/null +++ b/api/src/dooris_api/mqtt_client.py @@ -0,0 +1,92 @@ +# +# This whole implementation is adapted from the upstream GitHub example +# https://github.com/eclipse-paho/paho.mqtt.python/blob/master/examples/loop_asyncio.py +# + +from typing import Any +import logging +import asyncio +import socket + +import paho.mqtt.client as mqtt + + +logger = logging.getLogger(__name__) + + +class AsyncLooper: + """ + Helper class to implement loopgin with asyncio for the underlying mqtt IO + """ + + def __init__(self, loop: asyncio.AbstractEventLoop, client: mqtt.Client): + self.loop = loop + + self.client = client + self.client.on_socket_open = self.on_socket_open + self.client.on_socket_close = self.on_socket_close + self.client.on_socket_register_write = self.on_socket_register_write + self.client.on_socket_unregister_write = self.on_socket_unregister_write + + def on_socket_open(self, client, userdata, sock): + def cb(): + client.loop_read() + + self.loop.add_reader(sock, cb) + self.task_misc = self.loop.create_task(self.misc_loop()) + + def on_socket_close(self, client, userdata, sock): + self.loop.remove_reader(sock) + self.task_misc.cancel() + + def on_socket_register_write(self, client, userdata, sock): + def cb(): + client.loop_write() + + self.loop.add_writer(sock, cb) + + def on_socket_unregister_write(self, client, userdata, sock): + self.loop.remove_writer(sock) + + async def misc_loop(self): + while self.client.loop_misc() == mqtt.MQTT_ERR_SUCCESS: + try: + await asyncio.sleep(1) + except asyncio.CancelledError: + break + + +class AsyncMqttClient: + loop: asyncio.AbstractEventLoop + + def __init__(self, connection_string: str, username: str, password: str): + self.connection_string = connection_string + self.client = mqtt.Client(mqtt.CallbackAPIVersion.VERSION2, client_id="dooris") + self.client.username = username + self.client.password = password + self.client.on_connect = self.on_connect + self.client.on_message = self.on_message + self.client.on_disconnect = self.on_disconnect + + def on_connect(self, client: mqtt.Client, userdata: Any, flags: mqtt.ConnectFlags, reason_code, properties: mqtt.Properties): + logger.debug(f"mqtt client connected with message '{reason_code}'") + + def on_disconnect(self, client: mqtt.Client, userdata: Any, flags: mqtt.DisconnectFlags, reason_code, properties: mqtt.Properties): + logger.debug("mqtt client disconnected") + print("flags", type(flags), flags) + print("reason_code", type(reason_code), reason_code) + print("properties", type(properties), properties) + + def on_message(self, client: mqtt.Client, userdata: Any, msg): + logger.debug("mqtt client got message") + print("msg", type(msg), msg) + + async def connect(self): + server_host, server_port = self.connection_string.rsplit(":", maxsplit=1) + + looper = AsyncLooper(asyncio.get_running_loop(), self.client) + + logger.info("Connecting to mqtt server at %s:%s", server_host, server_port) + self.client.connect(server_host, int(server_port)) + self.client.socket().setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, 2048) + diff --git a/api/uv.lock b/api/uv.lock index 9e7f71a..6b6a649 100644 --- a/api/uv.lock +++ b/api/uv.lock @@ -400,6 +400,7 @@ source = { editable = "." } dependencies = [ { name = "aiohttp" }, { name = "fastapi" }, + { name = "paho-mqtt" }, { name = "simple-openid-connect" }, { name = "uvicorn" }, ] @@ -413,6 +414,7 @@ dev = [ requires-dist = [ { name = "aiohttp", specifier = ">=3.13.5" }, { name = "fastapi", specifier = ">=0.136.1" }, + { name = "paho-mqtt", specifier = ">=2.1.0" }, { name = "simple-openid-connect", specifier = ">=2.4.0" }, { name = "uvicorn", specifier = ">=0.46.0" }, ] @@ -734,6 +736,15 @@ wheels = [ { url = "https://files.pythonhosted.org/packages/b2/6c/d8a02ffb24876b5f51fbd781f479fc6525a518553a4196bd0433dae9ff8e/orderedmultidict-1.0.2-py2.py3-none-any.whl", hash = "sha256:ab5044c1dca4226ae4c28524cfc5cc4c939f0b49e978efa46a6ad6468049f79b", size = 11897, upload-time = "2025-11-18T08:00:41.44Z" }, ] +[[package]] +name = "paho-mqtt" +version = "2.1.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/39/15/0a6214e76d4d32e7f663b109cf71fb22561c2be0f701d67f93950cd40542/paho_mqtt-2.1.0.tar.gz", hash = "sha256:12d6e7511d4137555a3f6ea167ae846af2c7357b10bc6fa4f7c3968fc1723834", size = 148848, upload-time = "2024-04-29T19:52:55.591Z" } +wheels = [ + { url = "https://files.pythonhosted.org/packages/c4/cb/00451c3cf31790287768bb12c6bec834f5d292eaf3022afc88e14b8afc94/paho_mqtt-2.1.0-py3-none-any.whl", hash = "sha256:6db9ba9b34ed5bc6b6e3812718c7e06e2fd7444540df2455d2c51bd58808feee", size = 67219, upload-time = "2024-04-29T19:52:48.345Z" }, +] + [[package]] name = "parso" version = "0.8.7" From 0331dd6406f9e6f06d1fcb741e89fdc2862a3f70 Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 19 May 2026 09:34:51 +0200 Subject: [PATCH 04/25] api: connect to CCUJACK MQTT broker on startup --- api/src/dooris_api/__init__.py | 6 ++++++ api/src/dooris_api/app.py | 5 ++++- api/src/dooris_api/ccujack.py | 8 +++++++- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/api/src/dooris_api/__init__.py b/api/src/dooris_api/__init__.py index cd488a6..8ee8809 100644 --- a/api/src/dooris_api/__init__.py +++ b/api/src/dooris_api/__init__.py @@ -52,6 +52,12 @@ def main(): default=os.environ.get("DOORIS_CCUJACK_URL", "https://hmdooris-ccu.ccchh.net:2122"), help="The URL under which a CCUJACK instance is hosted that actually operates the locks", ) + argp.add_argument( + "--ccujack-mqtt", + required=False, + default=os.environ.get("DOORIS_CCUJACK_MQTT", "hmdooris-ccu.ccchh.net:1883"), + help="The $HOSTNAME:$PORT of the CCUJack embedded MQTT server", + ) argp.add_argument( "--ccujack-user", required="DOORIS_CCUJACK_USER" not in os.environ, diff --git a/api/src/dooris_api/app.py b/api/src/dooris_api/app.py index 3bcd848..3b53d35 100644 --- a/api/src/dooris_api/app.py +++ b/api/src/dooris_api/app.py @@ -36,11 +36,14 @@ async def lifespan(app: FastAPI): scope=app_cfg.openid_scope, ) + # TODO: regularly re-query CCUJACK to discover new locks app.extra["ccujack"] = CCUJackClient( base_uri=app_cfg.ccujack_url, - auth=BasicAuth(app_cfg.ccujack_user, app_cfg.ccujack_password) + auth=BasicAuth(app_cfg.ccujack_user, app_cfg.ccujack_password), + mqtt_conn=app_cfg.ccujack_mqtt, ) await app.extra["ccujack"].find_locks() + await app.extra["ccujack"].connect_mqtt() yield diff --git a/api/src/dooris_api/ccujack.py b/api/src/dooris_api/ccujack.py index 5d5eca0..78c9e00 100644 --- a/api/src/dooris_api/ccujack.py +++ b/api/src/dooris_api/ccujack.py @@ -4,6 +4,8 @@ import logging import asyncio from pydantic import BaseModel, Field +from dooris_api.mqtt_client import AsyncMqttClient + logger = logging.getLogger(__name__) @@ -69,7 +71,7 @@ class CCUJackClient: base_uri: str locks: LockData - def __init__(self, base_uri: str, auth: BasicAuth): + def __init__(self, base_uri: str, auth: BasicAuth, mqtt_conn: str): self.http = ClientSession( base_url=base_uri, auth=auth, @@ -77,6 +79,10 @@ class CCUJackClient: connector=TCPConnector(ssl=False), ) self.locks = None + self.mqtt = AsyncMqttClient(mqtt_conn, auth.login, auth.password) + + async def connect_mqtt(self): + await self.mqtt.connect() async def find_locks(self): logger.debug("Inspecting lock devices present in CCUJack") From 44d484cfc196058bca136efbd38d874fba094327 Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 19 May 2026 13:09:00 +0200 Subject: [PATCH 05/25] api: use proper connection shutdown for downstream services --- api/src/dooris_api/app.py | 13 ++--- api/src/dooris_api/ccujack.py | 16 ++++++ api/src/dooris_api/mqtt_client.py | 83 +++++++++++++++++++++++++------ 3 files changed, 92 insertions(+), 20 deletions(-) diff --git a/api/src/dooris_api/app.py b/api/src/dooris_api/app.py index 3b53d35..32d626d 100644 --- a/api/src/dooris_api/app.py +++ b/api/src/dooris_api/app.py @@ -2,7 +2,6 @@ from typing import Optional, List import logging import secrets import sys -import os from datetime import datetime, UTC from fastapi import FastAPI, Request, Response, status from fastapi.responses import RedirectResponse @@ -42,11 +41,13 @@ async def lifespan(app: FastAPI): auth=BasicAuth(app_cfg.ccujack_user, app_cfg.ccujack_password), mqtt_conn=app_cfg.ccujack_mqtt, ) - await app.extra["ccujack"].find_locks() await app.extra["ccujack"].connect_mqtt() + await app.extra["ccujack"].find_locks() yield + await app.extra["ccujack"].close_connections() + app = FastAPI( title="Dooris", @@ -71,9 +72,7 @@ async def get_user_info( ) -> models.UserStatus: return models.UserStatus( is_authorized=current_user.may_operate_locks, - guaranteed_session_until=datetime.fromtimestamp( - current_user.id_token.exp, UTC - ), + guaranteed_session_until=datetime.fromtimestamp(current_user.id_token.exp, UTC), username=current_user.id_token.preferred_username, ccchh_roles=current_user.ccchh_roles, ) @@ -122,7 +121,9 @@ async def login_init( response_class=RedirectResponse, status_code=302, ) -async def login_callback(req: Request, resp: Response, oidc_client: deps.OpenidClient) -> str: +async def login_callback( + req: Request, resp: Response, oidc_client: deps.OpenidClient +) -> str: # check that the user is currently in an authenticating state # these cookies are set by the login_init() view if ( diff --git a/api/src/dooris_api/ccujack.py b/api/src/dooris_api/ccujack.py index 78c9e00..ed1e038 100644 --- a/api/src/dooris_api/ccujack.py +++ b/api/src/dooris_api/ccujack.py @@ -84,8 +84,16 @@ class CCUJackClient: async def connect_mqtt(self): await self.mqtt.connect() + async def close_connections(self): + await asyncio.gather( + self.mqtt.disconnect(), + self.http.close() + ) + async def find_locks(self): logger.debug("Inspecting lock devices present in CCUJack") + + # iterate through the CCUJACK API to find all devices async with self.http.get("/device") as resp: devices = CCUDeviceList.model_validate(await resp.json()) @@ -99,6 +107,14 @@ class CCUJackClient: self.locks = [i for i in device_infos if i[0].type == DEVICE_TYPE_LOCK] + # update active mqtt subscriptions + mqtt_topics = set() + for i_lock, lock_channels in self.locks: + for i_channel, channel_params in lock_channels: + for i_param in channel_params: + mqtt_topics.add(f"device/status/{i_lock.address}/{i_channel.index}/{i_param.id}") + # await self.mqtt.update_subscriptions(mqtt_topics) + async def query_param_value(self, address: str): logger.debug("Querying parameter value from '%s'", address) async with self.http.get(f"/device/{address}/~pv") as resp: diff --git a/api/src/dooris_api/mqtt_client.py b/api/src/dooris_api/mqtt_client.py index f7cb22b..3f6de6f 100644 --- a/api/src/dooris_api/mqtt_client.py +++ b/api/src/dooris_api/mqtt_client.py @@ -1,9 +1,9 @@ # # This whole implementation is adapted from the upstream GitHub example # https://github.com/eclipse-paho/paho.mqtt.python/blob/master/examples/loop_asyncio.py -# +# -from typing import Any +from typing import Any, List, Set, Iterable import logging import asyncio import socket @@ -16,7 +16,7 @@ logger = logging.getLogger(__name__) class AsyncLooper: """ - Helper class to implement loopgin with asyncio for the underlying mqtt IO + Helper class to implement loopgin with asyncio for the underlying mqtt IO """ def __init__(self, loop: asyncio.AbstractEventLoop, client: mqtt.Client): @@ -58,9 +58,14 @@ class AsyncLooper: class AsyncMqttClient: loop: asyncio.AbstractEventLoop - + connection_string: str + looper: AsyncLooper + client: mqtt.Client + active_subscriptions: Set[str] + def __init__(self, connection_string: str, username: str, password: str): self.connection_string = connection_string + self.active_subscriptions = set() self.client = mqtt.Client(mqtt.CallbackAPIVersion.VERSION2, client_id="dooris") self.client.username = username self.client.password = password @@ -68,25 +73,75 @@ class AsyncMqttClient: self.client.on_message = self.on_message self.client.on_disconnect = self.on_disconnect - def on_connect(self, client: mqtt.Client, userdata: Any, flags: mqtt.ConnectFlags, reason_code, properties: mqtt.Properties): + def on_connect( + self, + client: mqtt.Client, + userdata: Any, + flags: mqtt.ConnectFlags, + reason_code, + properties: mqtt.Properties, + ): logger.debug(f"mqtt client connected with message '{reason_code}'") + self.fut_connected.set_result(None) - def on_disconnect(self, client: mqtt.Client, userdata: Any, flags: mqtt.DisconnectFlags, reason_code, properties: mqtt.Properties): - logger.debug("mqtt client disconnected") - print("flags", type(flags), flags) - print("reason_code", type(reason_code), reason_code) - print("properties", type(properties), properties) + def on_disconnect( + self, + client: mqtt.Client, + userdata: Any, + flags: mqtt.DisconnectFlags, + reason_code, + properties: mqtt.Properties, + ): + logger.debug(f"mqtt client disconnected with message '{reason_code}'") + if self.fut_disconnect: + self.fut_disconnect.set_result(None) - def on_message(self, client: mqtt.Client, userdata: Any, msg): + def on_message(self, client: mqtt.Client, userdata: Any, msg: mqtt.MQTTMessage): logger.debug("mqtt client got message") print("msg", type(msg), msg) + def on_subscribe(self, client, userdata, mid, reason_code, properties): + logger.debug(f"mqtt client subscribed to topics with message '{reason_code}'") + self.fut_subscribe.set_result(None) + + def on_unsubscribe(self, client, userdata, mid, reason_code, properties): + logger.debug(f"mqtt client unsubscribed from topics with message '{reason_code}'") + self.fut_unsubscribe.set_result(None) + + async def update_subscriptions(self, topics: Iterable[str]): + """ + Update MQTT subscriptions so that the client is subscribed to exactly the given list of topics + """ + + to_add = topics.difference(self.active_subscriptions) + if to_add: + logger.info(f"mqtt client subscribing to topics {', '.join(to_add)}") + qos = 2 + self.fut_subscribe = asyncio.get_running_loop().create_future() + self.client.subscribe([(i, qos) for i in to_add]) + await self.fut_subscribe + + to_remove = self.active_subscriptions.difference(topics) + if to_remove: + logger.info(f"mqtt client unsubscribing from topics {','.join(to_remove)}") + self.fut_unsubscribe = asyncio.get_running_loop().create_future() + self.client.unsubscribe(list(to_remove)) + await self.fut_unsubscribe + async def connect(self): server_host, server_port = self.connection_string.rsplit(":", maxsplit=1) - - looper = AsyncLooper(asyncio.get_running_loop(), self.client) + + self.looper = AsyncLooper(asyncio.get_running_loop(), self.client) logger.info("Connecting to mqtt server at %s:%s", server_host, server_port) + self.fut_connected = asyncio.get_running_loop().create_future() self.client.connect(server_host, int(server_port)) - self.client.socket().setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, 2048) + self.client.socket().setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, 2048) + await self.fut_connected + + async def disconnect(self): + logger.info("Disconnecting mqtt client from broker") + self.fut_disconnect = asyncio.get_running_loop().create_future() + self.client.disconnect() + await self.fut_disconnect From 4103c0ca5f6c12518bbd8efb43eb975e508de837 Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 19 May 2026 14:10:47 +0200 Subject: [PATCH 06/25] api: process mqtt messages to keep a current local lock state --- api/src/dooris_api/ccujack.py | 44 ++++++++++++++++++++++++------- api/src/dooris_api/mqtt_client.py | 24 ++++++++++++----- 2 files changed, 53 insertions(+), 15 deletions(-) diff --git a/api/src/dooris_api/ccujack.py b/api/src/dooris_api/ccujack.py index ed1e038..112fbc1 100644 --- a/api/src/dooris_api/ccujack.py +++ b/api/src/dooris_api/ccujack.py @@ -1,4 +1,4 @@ -from typing import List, Tuple, Optional, Any +from typing import List, Tuple, Optional, Any, Dict from aiohttp import ClientSession, BasicAuth, TCPConnector import logging import asyncio @@ -70,6 +70,8 @@ LockData = List[Tuple[CCUDeviceInfo, List[Tuple[CCUChannelInfo, List[CCUParamInf class CCUJackClient: base_uri: str locks: LockData + param_values: Dict[str, Any] + task_process_messages: asyncio.Task def __init__(self, base_uri: str, auth: BasicAuth, mqtt_conn: str): self.http = ClientSession( @@ -78,17 +80,21 @@ class CCUJackClient: raise_for_status=True, connector=TCPConnector(ssl=False), ) - self.locks = None self.mqtt = AsyncMqttClient(mqtt_conn, auth.login, auth.password) + self.locks = None + self.param_values = dict() + self.task_process_messages = None async def connect_mqtt(self): await self.mqtt.connect() + self.task_process_messages = asyncio.get_running_loop().create_task( + self.process_mqt_messages(), name="process-mqtt-messages" + ) async def close_connections(self): - await asyncio.gather( - self.mqtt.disconnect(), - self.http.close() - ) + await asyncio.gather(self.mqtt.disconnect(), self.http.close()) + self.task_process_messages.cancel() + self.task_process_messages = None async def find_locks(self): logger.debug("Inspecting lock devices present in CCUJack") @@ -112,10 +118,30 @@ class CCUJackClient: for i_lock, lock_channels in self.locks: for i_channel, channel_params in lock_channels: for i_param in channel_params: - mqtt_topics.add(f"device/status/{i_lock.address}/{i_channel.index}/{i_param.id}") - # await self.mqtt.update_subscriptions(mqtt_topics) + mqtt_topics.add( + f"device/status/{i_lock.address}/{i_channel.index}/{i_param.id}" + ) + await self.mqtt.update_subscriptions(mqtt_topics) + + async def process_mqt_messages(self): + while True: + try: + msg = await self.mqtt.messages.get() + + param_name = msg.topic.removeprefix("device/status/") + param_value = CCUValue.model_validate_json(msg.payload) + logger.debug( + f"Got new value from MQTT for parameter {param_name}: {param_value}" + ) + self.param_values[param_name] = param_value + + except Exception as e: + logger.exception(f"could not process incoming mqtt message: {e}") + + async def query_param_value(self, address: str) -> CCUValue: + if address in self.param_values: + return self.param_values[address] - async def query_param_value(self, address: str): logger.debug("Querying parameter value from '%s'", address) async with self.http.get(f"/device/{address}/~pv") as resp: return CCUValue.model_validate(await resp.json()) diff --git a/api/src/dooris_api/mqtt_client.py b/api/src/dooris_api/mqtt_client.py index 3f6de6f..1548e66 100644 --- a/api/src/dooris_api/mqtt_client.py +++ b/api/src/dooris_api/mqtt_client.py @@ -62,16 +62,22 @@ class AsyncMqttClient: looper: AsyncLooper client: mqtt.Client active_subscriptions: Set[str] + messages: asyncio.Queue def __init__(self, connection_string: str, username: str, password: str): self.connection_string = connection_string self.active_subscriptions = set() + self.messages = asyncio.Queue() self.client = mqtt.Client(mqtt.CallbackAPIVersion.VERSION2, client_id="dooris") self.client.username = username self.client.password = password self.client.on_connect = self.on_connect + self.client.on_connect_fail = self.on_connect_fail self.client.on_message = self.on_message self.client.on_disconnect = self.on_disconnect + self.client.on_subscribe = self.on_subscribe + self.client.on_unsubscribe = self.on_unsubscribe + self.client.on_disconnect = self.on_disconnect def on_connect( self, @@ -84,6 +90,12 @@ class AsyncMqttClient: logger.debug(f"mqtt client connected with message '{reason_code}'") self.fut_connected.set_result(None) + def on_connect_fail(self, client, userdata): + logger.error("mqtt client could not connect to broker") + self.fut_connected.set_exception( + Exception("mqtt client could not connect to broker") + ) + def on_disconnect( self, client: mqtt.Client, @@ -97,26 +109,26 @@ class AsyncMqttClient: self.fut_disconnect.set_result(None) def on_message(self, client: mqtt.Client, userdata: Any, msg: mqtt.MQTTMessage): - logger.debug("mqtt client got message") - print("msg", type(msg), msg) + self.messages.put_nowait(msg) def on_subscribe(self, client, userdata, mid, reason_code, properties): logger.debug(f"mqtt client subscribed to topics with message '{reason_code}'") self.fut_subscribe.set_result(None) def on_unsubscribe(self, client, userdata, mid, reason_code, properties): - logger.debug(f"mqtt client unsubscribed from topics with message '{reason_code}'") + logger.debug( + f"mqtt client unsubscribed from topics with message '{reason_code}'" + ) self.fut_unsubscribe.set_result(None) - async def update_subscriptions(self, topics: Iterable[str]): + async def update_subscriptions(self, topics: Iterable[str], qos: int = 1): """ - Update MQTT subscriptions so that the client is subscribed to exactly the given list of topics + Update MQTT subscriptions so that the client is subscribed to exactly the given list of topics """ to_add = topics.difference(self.active_subscriptions) if to_add: logger.info(f"mqtt client subscribing to topics {', '.join(to_add)}") - qos = 2 self.fut_subscribe = asyncio.get_running_loop().create_future() self.client.subscribe([(i, qos) for i in to_add]) await self.fut_subscribe From 7ac0a4106cdc621f7b62dab7317d7c0c6317fb9b Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 19 May 2026 14:37:55 +0200 Subject: [PATCH 07/25] api: implement Server-Sent-Events on top of mqtt parameters --- api/src/dooris_api/app.py | 15 ++++++++++++++- api/src/dooris_api/ccujack.py | 34 ++++++++++++++++++++++------------ 2 files changed, 36 insertions(+), 13 deletions(-) diff --git a/api/src/dooris_api/app.py b/api/src/dooris_api/app.py index 32d626d..edb338f 100644 --- a/api/src/dooris_api/app.py +++ b/api/src/dooris_api/app.py @@ -1,10 +1,11 @@ -from typing import Optional, List +from typing import Optional, List, AsyncIterable import logging import secrets import sys from datetime import datetime, UTC from fastapi import FastAPI, Request, Response, status from fastapi.responses import RedirectResponse +from fastapi.sse import EventSourceResponse from contextlib import asynccontextmanager from simple_openid_connect.client import OpenidClient from simple_openid_connect.data import TokenSuccessResponse, RpInitiatedLogoutRequest @@ -241,6 +242,18 @@ async def list_locks(ccujack: deps.CCUJackClient) -> List[models.Lock]: return result +@app.get( + "/api/locks/stream", + tags=["locks"], + responses={status.HTTP_401_UNAUTHORIZED: {"model": models.HttpProblemDetail}}, + response_class=EventSourceResponse, +) +async def watch_locks(ccujack: deps.CCUJackClient) -> AsyncIterable[List[models.Lock]]: + while True: + yield await list_locks(ccujack) + await ccujack.data_updated.wait() + + @app.patch( "/api/locks/{lock_id}", tags=["locks"], diff --git a/api/src/dooris_api/ccujack.py b/api/src/dooris_api/ccujack.py index 112fbc1..1132e63 100644 --- a/api/src/dooris_api/ccujack.py +++ b/api/src/dooris_api/ccujack.py @@ -72,6 +72,7 @@ class CCUJackClient: locks: LockData param_values: Dict[str, Any] task_process_messages: asyncio.Task + data_updated: asyncio.Event def __init__(self, base_uri: str, auth: BasicAuth, mqtt_conn: str): self.http = ClientSession( @@ -84,6 +85,7 @@ class CCUJackClient: self.locks = None self.param_values = dict() self.task_process_messages = None + self.data_updated = asyncio.Event() async def connect_mqtt(self): await self.mqtt.connect() @@ -99,10 +101,10 @@ class CCUJackClient: async def find_locks(self): logger.debug("Inspecting lock devices present in CCUJack") - # iterate through the CCUJACK API to find all devices async with self.http.get("/device") as resp: devices = CCUDeviceList.model_validate(await resp.json()) + # inspect CCUJACK for locks device_infos = await asyncio.gather( *[ self._inspect_ccu_device(i) @@ -111,17 +113,22 @@ class CCUJackClient: ] ) - self.locks = [i for i in device_infos if i[0].type == DEVICE_TYPE_LOCK] - - # update active mqtt subscriptions - mqtt_topics = set() - for i_lock, lock_channels in self.locks: - for i_channel, channel_params in lock_channels: - for i_param in channel_params: - mqtt_topics.add( - f"device/status/{i_lock.address}/{i_channel.index}/{i_param.id}" - ) - await self.mqtt.update_subscriptions(mqtt_topics) + # save the result + new_locks = [i for i in device_infos if i[0].type == DEVICE_TYPE_LOCK] + if new_locks != self.locks: + self.locks = new_locks + self.data_updated.set() + self.data_updated.clear() + + # update active mqtt subscriptions based on newly discovered devices + mqtt_topics = set() + for i_lock, lock_channels in self.locks: + for i_channel, channel_params in lock_channels: + for i_param in channel_params: + mqtt_topics.add( + f"device/status/{i_lock.address}/{i_channel.index}/{i_param.id}" + ) + await self.mqtt.update_subscriptions(mqtt_topics) async def process_mqt_messages(self): while True: @@ -134,9 +141,12 @@ class CCUJackClient: f"Got new value from MQTT for parameter {param_name}: {param_value}" ) self.param_values[param_name] = param_value + self.data_updated.set() except Exception as e: logger.exception(f"could not process incoming mqtt message: {e}") + finally: + self.data_updated.clear() async def query_param_value(self, address: str) -> CCUValue: if address in self.param_values: From b1b624a7b3115e917b138785103fda84716f68ad Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 19 May 2026 14:57:28 +0200 Subject: [PATCH 08/25] api: simplify logging setup --- api/src/dooris_api/__init__.py | 7 +++++++ api/src/dooris_api/app.py | 6 ------ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/api/src/dooris_api/__init__.py b/api/src/dooris_api/__init__.py index 8ee8809..139ee17 100644 --- a/api/src/dooris_api/__init__.py +++ b/api/src/dooris_api/__init__.py @@ -1,4 +1,6 @@ import os +import sys +import logging from contextvars import ContextVar from argparse import ArgumentParser, Namespace @@ -72,6 +74,10 @@ def main(): ) args = argp.parse_args() + # setup logging + logging.basicConfig(level=logging.DEBUG, format="[%(levelname)s] %(filename)s: %(message)s") + + # setup app app_config.set(args) import uvicorn from dooris_api.app import app @@ -80,6 +86,7 @@ def main(): from fastapi.staticfiles import StaticFiles app.mount("/", StaticFiles(directory=args.serve_static, html=True), name="static") + # start webserver config = uvicorn.Config(app, port=8000, log_level="debug") server = uvicorn.Server(config) server.run() diff --git a/api/src/dooris_api/app.py b/api/src/dooris_api/app.py index edb338f..7e2a948 100644 --- a/api/src/dooris_api/app.py +++ b/api/src/dooris_api/app.py @@ -22,12 +22,6 @@ logger = logging.getLogger(__name__) async def lifespan(app: FastAPI): app_cfg = app_config.get() - root_logger = logging.getLogger("") - root_logger.setLevel(logging.INFO) - root_logger.addHandler(logging.StreamHandler(sys.stderr)) - app_logger = logging.getLogger("dooris_api") - app_logger.setLevel(logging.DEBUG) - app.extra["oidc_client"] = OpenidClient.from_issuer_url( url=app_cfg.openid_issuer, authentication_redirect_uri=f"{app_cfg.base_url}/auth/login-callback", From 2349e58924b010b01f6e33160053bd34027beab8 Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 19 May 2026 15:03:26 +0200 Subject: [PATCH 09/25] api: automatically rediscover locks from CCUJack closes CCCHH/dooris#5 --- api/src/dooris_api/app.py | 4 +--- api/src/dooris_api/ccujack.py | 21 ++++++++++++++++++++- api/src/dooris_api/mqtt_client.py | 4 +++- 3 files changed, 24 insertions(+), 5 deletions(-) diff --git a/api/src/dooris_api/app.py b/api/src/dooris_api/app.py index 7e2a948..54f97f1 100644 --- a/api/src/dooris_api/app.py +++ b/api/src/dooris_api/app.py @@ -1,7 +1,6 @@ from typing import Optional, List, AsyncIterable import logging import secrets -import sys from datetime import datetime, UTC from fastapi import FastAPI, Request, Response, status from fastapi.responses import RedirectResponse @@ -36,8 +35,7 @@ async def lifespan(app: FastAPI): auth=BasicAuth(app_cfg.ccujack_user, app_cfg.ccujack_password), mqtt_conn=app_cfg.ccujack_mqtt, ) - await app.extra["ccujack"].connect_mqtt() - await app.extra["ccujack"].find_locks() + await app.extra["ccujack"].start() yield diff --git a/api/src/dooris_api/ccujack.py b/api/src/dooris_api/ccujack.py index 1132e63..9edbcdb 100644 --- a/api/src/dooris_api/ccujack.py +++ b/api/src/dooris_api/ccujack.py @@ -72,6 +72,7 @@ class CCUJackClient: locks: LockData param_values: Dict[str, Any] task_process_messages: asyncio.Task + task_find_locks: asyncio.Task data_updated: asyncio.Event def __init__(self, base_uri: str, auth: BasicAuth, mqtt_conn: str): @@ -85,10 +86,16 @@ class CCUJackClient: self.locks = None self.param_values = dict() self.task_process_messages = None + self.task_find_locks = None self.data_updated = asyncio.Event() - async def connect_mqtt(self): + async def start(self): await self.mqtt.connect() + await self.find_locks() + + self.task_find_locks = asyncio.get_running_loop().create_task( + self.cron(), name="ccujack-cron" + ) self.task_process_messages = asyncio.get_running_loop().create_task( self.process_mqt_messages(), name="process-mqtt-messages" ) @@ -116,6 +123,7 @@ class CCUJackClient: # save the result new_locks = [i for i in device_infos if i[0].type == DEVICE_TYPE_LOCK] if new_locks != self.locks: + logger.info("Found new locks, updating state") self.locks = new_locks self.data_updated.set() self.data_updated.clear() @@ -148,6 +156,17 @@ class CCUJackClient: finally: self.data_updated.clear() + async def cron(self): + while True: + try: + + await asyncio.sleep(60 * 60) # 1 hour + logger.info("Running CCUJack cron") + await self.find_locks() + + except Exception as e: + logger.exception(f"Error in CCUJack cron task: {e}") + async def query_param_value(self, address: str) -> CCUValue: if address in self.param_values: return self.param_values[address] diff --git a/api/src/dooris_api/mqtt_client.py b/api/src/dooris_api/mqtt_client.py index 1548e66..03db2cc 100644 --- a/api/src/dooris_api/mqtt_client.py +++ b/api/src/dooris_api/mqtt_client.py @@ -3,7 +3,7 @@ # https://github.com/eclipse-paho/paho.mqtt.python/blob/master/examples/loop_asyncio.py # -from typing import Any, List, Set, Iterable +from typing import Any, Set, Iterable import logging import asyncio import socket @@ -132,6 +132,7 @@ class AsyncMqttClient: self.fut_subscribe = asyncio.get_running_loop().create_future() self.client.subscribe([(i, qos) for i in to_add]) await self.fut_subscribe + self.active_subscriptions.update(to_add) to_remove = self.active_subscriptions.difference(topics) if to_remove: @@ -139,6 +140,7 @@ class AsyncMqttClient: self.fut_unsubscribe = asyncio.get_running_loop().create_future() self.client.unsubscribe(list(to_remove)) await self.fut_unsubscribe + self.active_subscriptions.difference_update(to_remove) async def connect(self): server_host, server_port = self.connection_string.rsplit(":", maxsplit=1) From 41fd939d30b123060b9804258cd264ed410cd97a Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 19 May 2026 15:17:41 +0200 Subject: [PATCH 10/25] api: fix ccujack cron task not being properly stopped --- api/src/dooris_api/app.py | 1 - api/src/dooris_api/ccujack.py | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/api/src/dooris_api/app.py b/api/src/dooris_api/app.py index 54f97f1..24cc708 100644 --- a/api/src/dooris_api/app.py +++ b/api/src/dooris_api/app.py @@ -29,7 +29,6 @@ async def lifespan(app: FastAPI): scope=app_cfg.openid_scope, ) - # TODO: regularly re-query CCUJACK to discover new locks app.extra["ccujack"] = CCUJackClient( base_uri=app_cfg.ccujack_url, auth=BasicAuth(app_cfg.ccujack_user, app_cfg.ccujack_password), diff --git a/api/src/dooris_api/ccujack.py b/api/src/dooris_api/ccujack.py index 9edbcdb..1a6120a 100644 --- a/api/src/dooris_api/ccujack.py +++ b/api/src/dooris_api/ccujack.py @@ -104,6 +104,8 @@ class CCUJackClient: await asyncio.gather(self.mqtt.disconnect(), self.http.close()) self.task_process_messages.cancel() self.task_process_messages = None + self.task.cron.cancel() + self.task.cron = None async def find_locks(self): logger.debug("Inspecting lock devices present in CCUJack") From 5bdf04cbb6f4602119a49dabdb9999b1b94ca40e Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 19 May 2026 16:34:51 +0200 Subject: [PATCH 11/25] api: tentatively make auth_nonce optional after token refresh --- api/src/dooris_api/deps.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/api/src/dooris_api/deps.py b/api/src/dooris_api/deps.py index 949fd13..7c5e26b 100644 --- a/api/src/dooris_api/deps.py +++ b/api/src/dooris_api/deps.py @@ -4,6 +4,7 @@ from datetime import datetime, UTC, timedelta from fastapi import Request, Depends, Response from simple_openid_connect.data import TokenSuccessResponse from simple_openid_connect.client import OpenidClient +from simple_openid_connect.exceptions import ValidationError from dooris_api import models, exceptions from dooris_api.ccujack import CCUJackClient @@ -24,19 +25,19 @@ async def get_current_user( ) -> Optional[models.CurrentUser]: # easiest case: we still have an access token (which is the most fleeting component) # everything else should still be valid so we can just use it - if all(i in req.cookies for i in ("access_token", "id_token", "auth_nonce")): + if all(i in req.cookies for i in ("access_token", "id_token")): logger.debug( "user is fully authenticated, returning current user from existing id_token" ) id_token = oidc_client.decode_id_token( - req.cookies["id_token"], nonce=req.cookies["auth_nonce"] + req.cookies["id_token"], nonce=req.cookies.get("auth_nonce", None), ) return models.CurrentUser( id_token=id_token, raw_id_token=req.cookies["id_token"] ) # if we have a refresh token, try to get new tokens - elif all(i in req.cookies for i in ("refresh_token", "auth_nonce")): + elif all(i in req.cookies for i in ("refresh_token",)): logger.debug( "user has been previously authenticated, trying to recover with refresh_token" ) @@ -44,7 +45,7 @@ async def get_current_user( token_resp = oidc_client.exchange_refresh_token(req.cookies["refresh_token"]) if isinstance(token_resp, TokenSuccessResponse): logger.debug("successfully got new tokens from refresh token") - persist_auth_state(oidc_client, resp, token_resp, auth_start_time, req.cookies["auth_nonce"]) + persist_auth_state(oidc_client, resp, token_resp, auth_start_time, None) # return the newly gotten info id_token = oidc_client.decode_id_token(token_resp.id_token) From c0d6bd454890518d3769b7bb054ad3f591107ad9 Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 19 May 2026 16:44:18 +0200 Subject: [PATCH 12/25] restructure dockerfile to not have npm dependencies in final image --- Containerfile | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/Containerfile b/Containerfile index 1a1812f..2c73422 100644 --- a/Containerfile +++ b/Containerfile @@ -1,3 +1,16 @@ +FROM docker.io/alpine:3.22 AS build-frontend +ENV PNPM_HOME=/usr/local/share/dooris/pnpm/ +WORKDIR /usr/local/src/dooris/ +RUN apk add --no-cache pnpm + +ADD --link app/package.json app/pnpm-lock.yaml app/ +RUN pnpm --dir=app/ install --frozen-lockfile --package-import-method=copy + +ADD --link . /usr/local/src/dooris/ +RUN pnpm --dir=app/ run build + + + FROM docker.io/alpine:3.22 AS base ARG APP_UID=10000 @@ -9,12 +22,11 @@ ENV UV_LINK_MODE=copy ENV UV_CACHE_DIR=/var/cache/dooris/uv/ ENV UV_NO_MANAGED_PYTHON=true ENV VIRTUAL_ENV=/usr/local/share/dooris/venv/ -ENV PNPM_HOME=/usr/local/share/dooris/pnpm/ -ENV PATH=$PNPM_HOME:$VIRTUAL_ENV/bin:$PATH +ENV PATH=$VIRTUAL_ENV/bin:$PATH ENV DOORIS_SERVE_STATIC=/var/www/dooris/static/ WORKDIR /usr/local/src/dooris/ -RUN apk add --no-cache uv python3 pnpm +RUN apk add --no-cache uv python3 RUN addgroup -g $APP_GID dooris &&\ adduser -h /usr/local/src/dooris -u $APP_UID -G dooris -D dooris &&\ mkdir -p /var/www/dooris/ /usr/local/share/dooris/ /usr/local/src/dooris/ /var/cache/dooris/ &&\ @@ -25,16 +37,14 @@ RUN addgroup -g $APP_GID dooris &&\ FROM base AS deps USER dooris ADD --link --chown=dooris:dooris api/pyproject.toml api/uv.lock api/ -ADD --link --chown=dooris:dooris app/package.json app/pnpm-lock.yaml app/ RUN uv venv $VIRTUAL_ENV &&\ uv sync --active --frozen --no-install-project --no-editable -RUN pnpm --dir=app/ install --frozen-lockfile --package-import-method=copy FROM deps AS final ADD --chown=dooris:dooris --link . /usr/local/src/dooris/ -RUN pnpm --dir=app/ run build --outDir=$DOORIS_SERVE_STATIC +COPY --chown=dooris:dooris --from=build-frontend --link /usr/local/src/dooris/app/dist/ $DOORIS_SERVE_STATIC RUN --mount=type=cache,uid=$APP_UID,gid=$APP_GID,target=$UV_CACHE_DIR \ uv sync --active --frozen From 8bc4e7f28edc21bcc9dae43d2f6fd654fbb1467d Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 19 May 2026 17:02:59 +0200 Subject: [PATCH 13/25] api: debounce multiple mqtt parameter updates for frontend --- api/src/dooris_api/app.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/api/src/dooris_api/app.py b/api/src/dooris_api/app.py index 24cc708..f862d61 100644 --- a/api/src/dooris_api/app.py +++ b/api/src/dooris_api/app.py @@ -1,6 +1,7 @@ from typing import Optional, List, AsyncIterable import logging import secrets +import asyncio from datetime import datetime, UTC from fastapi import FastAPI, Request, Response, status from fastapi.responses import RedirectResponse @@ -243,6 +244,7 @@ async def watch_locks(ccujack: deps.CCUJackClient) -> AsyncIterable[List[models. while True: yield await list_locks(ccujack) await ccujack.data_updated.wait() + await asyncio.sleep(0.1) # debounce multiple mqtt parameter updates @app.patch( From 82818482152f6f801dfa4e5d150b3da849dad3f2 Mon Sep 17 00:00:00 2001 From: kritzl Date: Tue, 19 May 2026 17:09:02 +0200 Subject: [PATCH 14/25] use server sent events instead of polling --- app/src/api/schema.ts | 70 ++++++++++++++++++++++++++++++++++++++---- app/src/assets/main.ts | 66 ++++++++++++++++----------------------- 2 files changed, 90 insertions(+), 46 deletions(-) diff --git a/app/src/api/schema.ts b/app/src/api/schema.ts index c9b7069..4f4b938 100644 --- a/app/src/api/schema.ts +++ b/app/src/api/schema.ts @@ -89,6 +89,23 @@ export interface paths { patch?: never; trace?: never; }; + "/api/locks/stream": { + parameters: { + query?: never; + header?: never; + path?: never; + cookie?: never; + }; + /** Watch Locks */ + get: operations["watch_locks_api_locks_stream_get"]; + put?: never; + post?: never; + delete?: never; + options?: never; + head?: never; + patch?: never; + trace?: never; + }; "/api/locks/{lock_id}": { parameters: { query?: never; @@ -135,7 +152,7 @@ export interface components { * @description Statically known HTTP problem types using the [type URI scheme](https://datatracker.ietf.org/doc/rfc4151/) * @enum {string} */ - HttpProblemType: "type:noc@hamburg.ccc.de,2026:UNAUTHORIZED" | "type:noc@hamburg.ccc.de,2026:LOCK_NOT_FOUND"; + HttpProblemType: "type:noc@hamburg.ccc.de,2026:UNAUTHORIZED" | "type:noc@hamburg.ccc.de,2026,FORBIDDEN_TO_OPERATE" | "type:noc@hamburg.ccc.de,2026:LOCK_NOT_FOUND"; /** Lock */ Lock: { /** Name */ @@ -178,14 +195,17 @@ export interface components { }; /** UserStatus */ UserStatus: { - /** Is Logged In */ - is_logged_in: boolean; /** Is Authorized */ is_authorized: boolean; - /** Guaranteed Session Until */ - guaranteed_session_until: string | null; + /** + * Guaranteed Session Until + * Format: date-time + */ + guaranteed_session_until: string; /** Username */ - username: string | null; + username: string; + /** Ccchh Roles */ + ccchh_roles: string[]; }; /** ValidationError */ ValidationError: { @@ -332,6 +352,35 @@ export interface operations { }; }; }; + watch_locks_api_locks_stream_get: { + parameters: { + query?: never; + header?: never; + path?: never; + cookie?: never; + }; + requestBody?: never; + responses: { + /** @description Successful Response */ + 200: { + headers: { + [name: string]: unknown; + }; + content: { + "text/event-stream": unknown; + }; + }; + /** @description Unauthorized */ + 401: { + headers: { + [name: string]: unknown; + }; + content: { + "text/event-stream": components["schemas"]["HttpProblemDetail"]; + }; + }; + }; + }; operate_lock_api_locks__lock_id__patch: { parameters: { query?: never; @@ -365,6 +414,15 @@ export interface operations { "application/json": components["schemas"]["HttpProblemDetail"]; }; }; + /** @description Forbidden */ + 403: { + headers: { + [name: string]: unknown; + }; + content: { + "application/json": components["schemas"]["HttpProblemDetail"]; + }; + }; /** @description Not Found */ 404: { headers: { diff --git a/app/src/assets/main.ts b/app/src/assets/main.ts index 4f61428..205f64f 100644 --- a/app/src/assets/main.ts +++ b/app/src/assets/main.ts @@ -1,5 +1,5 @@ import {Fetcher} from "openapi-typescript-fetch" -import type {paths} from "../api/schema" +import type {components, paths} from "../api/schema" import type {ui} from "../i18n/ui.ts" const fetcher = Fetcher.for() @@ -29,7 +29,7 @@ declare global { lang: keyof typeof ui; doors: Array; auth: AuthType; - doorAction: (action: 'unlock' | 'lock', doorId: string) => void; + doorAction: (action: "unlock" | "lock", doorId: string) => void; } } @@ -105,18 +105,18 @@ async function checkUser() { if (e instanceof getUserInfo.Error) { const error = e.getActualType() - if (error.status === 401) { - if (!auth.recentLogout) - auth.recentLogout = auth.authenticated // set recentLogout true, if user was logged in before - auth.authenticated = false - auth.authorized = false - auth.until = null - auth.username = "" - } else if (error.status >= 500 && error.status < 600) { + + if (error.status >= 500 && error.status < 600) { apiError.current = "serverError" - } else { - console.error("unknown error:", error) } + + if (!auth.recentLogout) + auth.recentLogout = auth.authenticated // set recentLogout true, if user was logged in before + auth.authenticated = false + auth.authorized = false + auth.until = null + auth.username = "" + } } finally { localStorage.setItem("auth", JSON.stringify(auth)) @@ -125,15 +125,24 @@ async function checkUser() { } } -async function fetchDoors() { +async function subscribeDoorEvents() { if (doors.length === 0) { loading.doors = true } refresh() - const getDoors = fetcher.path("/api/locks/").method("get").create() - try { - const {data: doorInfo} = await getDoors({}) + const evtSource = new EventSource("/api/locks/stream") + + evtSource.onerror = () => { + if (!window.navigator.onLine) { + apiError.current = "networkError" + } else { + apiError.current = "serverError" + } + } + + evtSource.onmessage = (event) => { + const doorInfo: Array = JSON.parse(event.data) apiError.current = null while (doors.length) { @@ -164,29 +173,6 @@ async function fetchDoors() { loading.doors = false refresh() - } catch (e) { - // check which operation threw the exception - if (e instanceof getDoors.Error) { - const error = e.getActualType() - - if (error.status === 401) { - console.log("unauthorized") - loading.doors = false - refresh() - } else if (error.status >= 500 && error.status < 600) { - apiError.current = "serverError" - clearInterval(doorsInterval) - } else { - console.error("unknown error:", error) - } - } - - if (e instanceof Error) { - switch (e.name) { - case "TypeError": - apiError.current = "networkError" - } - } } } @@ -295,7 +281,7 @@ function refresh() { loadAuthFromLocalStorage() -const doorsInterval = setInterval(fetchDoors, 250) // TODO: replace with SSE +subscribeDoorEvents() checkUser() document.addEventListener("loadeddata", () => { From 319670b6aea3fcf0945fa03e2f29b1ccc47d7f8e Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 19 May 2026 17:12:59 +0200 Subject: [PATCH 15/25] api: fix variable misnomer failing at program shutdown --- api/src/dooris_api/ccujack.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/api/src/dooris_api/ccujack.py b/api/src/dooris_api/ccujack.py index 1a6120a..8add7ef 100644 --- a/api/src/dooris_api/ccujack.py +++ b/api/src/dooris_api/ccujack.py @@ -93,7 +93,7 @@ class CCUJackClient: await self.mqtt.connect() await self.find_locks() - self.task_find_locks = asyncio.get_running_loop().create_task( + self.task_cron= asyncio.get_running_loop().create_task( self.cron(), name="ccujack-cron" ) self.task_process_messages = asyncio.get_running_loop().create_task( @@ -104,8 +104,8 @@ class CCUJackClient: await asyncio.gather(self.mqtt.disconnect(), self.http.close()) self.task_process_messages.cancel() self.task_process_messages = None - self.task.cron.cancel() - self.task.cron = None + self.task_cron.cancel() + self.task_cron = None async def find_locks(self): logger.debug("Inspecting lock devices present in CCUJack") From 6bbfc5dc689624f91d11e9d25be2acc63189ecf0 Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 28 May 2026 16:23:03 +0200 Subject: [PATCH 16/25] api: implement automatic mqtt reconnect in ccujack cron --- api/src/dooris_api/ccujack.py | 5 ++++- api/src/dooris_api/mqtt_client.py | 8 ++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/api/src/dooris_api/ccujack.py b/api/src/dooris_api/ccujack.py index 8add7ef..03d0480 100644 --- a/api/src/dooris_api/ccujack.py +++ b/api/src/dooris_api/ccujack.py @@ -162,9 +162,12 @@ class CCUJackClient: while True: try: - await asyncio.sleep(60 * 60) # 1 hour + await asyncio.sleep(15 * 60) # 15 minutes logger.info("Running CCUJack cron") await self.find_locks() + if not self.mqtt.is_connected(): + logger.warning("MQTT client was discovered to be disconnected; reconnecting now") + await self.mqtt.connect() except Exception as e: logger.exception(f"Error in CCUJack cron task: {e}") diff --git a/api/src/dooris_api/mqtt_client.py b/api/src/dooris_api/mqtt_client.py index 03db2cc..2660951 100644 --- a/api/src/dooris_api/mqtt_client.py +++ b/api/src/dooris_api/mqtt_client.py @@ -154,8 +154,16 @@ class AsyncMqttClient: await self.fut_connected + # re-establish all supposed mqtt subscriptions + if len(self.active_subscriptions > 0): + qos = 1 + await self.client.subscribe((i, qos) for i in self.active_subscriptions) + async def disconnect(self): logger.info("Disconnecting mqtt client from broker") self.fut_disconnect = asyncio.get_running_loop().create_future() self.client.disconnect() await self.fut_disconnect + + def is_connected(self) -> bool: + return self.client.is_connected() From e5b880d038ce7e3055538d1f12c18a2153e38212 Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 28 May 2026 16:27:20 +0200 Subject: [PATCH 17/25] api: fix syntax error in mqtt connector --- api/src/dooris_api/mqtt_client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/src/dooris_api/mqtt_client.py b/api/src/dooris_api/mqtt_client.py index 2660951..3df1f19 100644 --- a/api/src/dooris_api/mqtt_client.py +++ b/api/src/dooris_api/mqtt_client.py @@ -155,7 +155,7 @@ class AsyncMqttClient: await self.fut_connected # re-establish all supposed mqtt subscriptions - if len(self.active_subscriptions > 0): + if len(self.active_subscriptions) > 0: qos = 1 await self.client.subscribe((i, qos) for i in self.active_subscriptions) From 63a9485209ec291402337ea0aa7d089960ffc78f Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 19 May 2026 19:28:12 +0200 Subject: [PATCH 18/25] api: restructure user authentication modelling to support other user backends --- api/src/dooris_api/__init__.py | 25 ++++++++++--- api/src/dooris_api/app.py | 22 ++++------- api/src/dooris_api/deps.py | 67 +++++++++++++++++++++++++--------- api/src/dooris_api/models.py | 43 ++++++++++++---------- 4 files changed, 99 insertions(+), 58 deletions(-) diff --git a/api/src/dooris_api/__init__.py b/api/src/dooris_api/__init__.py index 139ee17..618ce97 100644 --- a/api/src/dooris_api/__init__.py +++ b/api/src/dooris_api/__init__.py @@ -1,5 +1,4 @@ import os -import sys import logging from contextvars import ContextVar from argparse import ArgumentParser, Namespace @@ -51,7 +50,9 @@ def main(): argp.add_argument( "--ccujack-url", required=False, - default=os.environ.get("DOORIS_CCUJACK_URL", "https://hmdooris-ccu.ccchh.net:2122"), + default=os.environ.get( + "DOORIS_CCUJACK_URL", "https://hmdooris-ccu.ccchh.net:2122" + ), help="The URL under which a CCUJACK instance is hosted that actually operates the locks", ) argp.add_argument( @@ -70,12 +71,21 @@ def main(): "--ccujack-password", required="DOORIS_CCUJACK_PASSWORD" not in os.environ, default=os.environ.get("DOORIS_CCUJACK_PASSWORD", None), - help="The password used to authenticate against the CCUJACK" + help="The password used to authenticate against the CCUJACK", + ) + argp.add_argument( + "--static-api-tokens", + required=False, + nargs=1, + action="append", + default=[], ) args = argp.parse_args() # setup logging - logging.basicConfig(level=logging.DEBUG, format="[%(levelname)s] %(filename)s: %(message)s") + logging.basicConfig( + level=logging.DEBUG, format="[%(levelname)s] %(filename)s: %(message)s" + ) # setup app app_config.set(args) @@ -84,8 +94,11 @@ def main(): if args.serve_static: from fastapi.staticfiles import StaticFiles - app.mount("/", StaticFiles(directory=args.serve_static, html=True), name="static") - + + app.mount( + "/", StaticFiles(directory=args.serve_static, html=True), name="static" + ) + # start webserver config = uvicorn.Config(app, port=8000, log_level="debug") server = uvicorn.Server(config) diff --git a/api/src/dooris_api/app.py b/api/src/dooris_api/app.py index f862d61..0a33704 100644 --- a/api/src/dooris_api/app.py +++ b/api/src/dooris_api/app.py @@ -58,17 +58,9 @@ app.add_exception_handler( "/api/user-info/", name="get-user-info", tags=["auth"], - responses={status.HTTP_401_UNAUTHORIZED: {"model": models.HttpProblemDetail}}, ) -async def get_user_info( - req: Request, current_user: deps.CurrentUser -) -> models.UserStatus: - return models.UserStatus( - is_authorized=current_user.may_operate_locks, - guaranteed_session_until=datetime.fromtimestamp(current_user.id_token.exp, UTC), - username=current_user.id_token.preferred_username, - ccchh_roles=current_user.ccchh_roles, - ) +async def get_user_info(req: Request, current_user: deps.ApiUser) -> models.ApiUser: + return current_user @app.get("/auth/login", tags=["auth"], response_class=RedirectResponse, status_code=302) @@ -143,7 +135,7 @@ async def login_callback( auth_start_time = datetime.fromtimestamp( float(req.cookies["auth_start_time"]), UTC ) - deps.persist_auth_state( + deps.persist_oidc_auth_state( oidc_client, resp, auth_result, auth_start_time, req.cookies["auth_nonce"] ) logger.debug("successfully authenticated user") @@ -165,9 +157,9 @@ async def login_callback( "/auth/logout", tags=["auth"], response_class=RedirectResponse, status_code=302 ) async def logout( - resp: Response, oidc_client: deps.OpenidClient, current_user: deps.CurrentUser + resp: Response, oidc_client: deps.OpenidClient, current_user: deps.AuthenticatedUser ) -> str: - deps.clear_auth_state(resp) + deps.clear_oidc_auth_state(resp) return oidc_client.initiate_logout( RpInitiatedLogoutRequest( id_token_hint=current_user.raw_id_token, @@ -244,7 +236,7 @@ async def watch_locks(ccujack: deps.CCUJackClient) -> AsyncIterable[List[models. while True: yield await list_locks(ccujack) await ccujack.data_updated.wait() - await asyncio.sleep(0.1) # debounce multiple mqtt parameter updates + await asyncio.sleep(0.1) # debounce multiple mqtt parameter updates @app.patch( @@ -261,7 +253,7 @@ async def operate_lock( lock_id: str, requested_op: models.LockOperation, ccujack: deps.CCUJackClient, - current_user: deps.CurrentUser, + current_user: deps.AuthenticatedUser, ) -> None: if not current_user.may_operate_locks: raise exceptions.HttpProblemException.forbidden_to_operate(req.url) diff --git a/api/src/dooris_api/deps.py b/api/src/dooris_api/deps.py index 7c5e26b..c611b5d 100644 --- a/api/src/dooris_api/deps.py +++ b/api/src/dooris_api/deps.py @@ -1,4 +1,4 @@ -from typing import Annotated, Optional +from typing import Annotated, Optional, Tuple import logging from datetime import datetime, UTC, timedelta from fastapi import Request, Depends, Response @@ -20,9 +20,9 @@ async def get_oidc_client(req: Request) -> OpenidClient: OpenidClient = Annotated[OpenidClient, Depends(get_oidc_client)] -async def get_current_user( +async def get_logged_in_oidc_user( req: Request, resp: Response, oidc_client: OpenidClient -) -> Optional[models.CurrentUser]: +) -> Optional[models.ApiUser]: # easiest case: we still have an access token (which is the most fleeting component) # everything else should still be valid so we can just use it if all(i in req.cookies for i in ("access_token", "id_token")): @@ -30,11 +30,10 @@ async def get_current_user( "user is fully authenticated, returning current user from existing id_token" ) id_token = oidc_client.decode_id_token( - req.cookies["id_token"], nonce=req.cookies.get("auth_nonce", None), - ) - return models.CurrentUser( - id_token=id_token, raw_id_token=req.cookies["id_token"] + req.cookies["id_token"], + nonce=req.cookies.get("auth_nonce", None), ) + return models.ApiUser.from_id_token(id_token, req.cookies["id_token"]) # if we have a refresh token, try to get new tokens elif all(i in req.cookies for i in ("refresh_token",)): @@ -45,24 +44,26 @@ async def get_current_user( token_resp = oidc_client.exchange_refresh_token(req.cookies["refresh_token"]) if isinstance(token_resp, TokenSuccessResponse): logger.debug("successfully got new tokens from refresh token") - persist_auth_state(oidc_client, resp, token_resp, auth_start_time, None) + persist_oidc_auth_state( + oidc_client, resp, token_resp, auth_start_time, None + ) # return the newly gotten info id_token = oidc_client.decode_id_token(token_resp.id_token) - return models.CurrentUser( - id_token=id_token, raw_id_token=token_resp.id_token - ) + return models.ApiUser.from_id_token(id_token, token_resp.id_token) else: - logger.debug("failed to exchange refresh token for new access token: %s", token_resp) + logger.debug( + "failed to exchange refresh token for new access token: %s", token_resp + ) # otherwise we can't meaningfully recover any user information or the user is simply not authenticated else: - logger.debug("no currently authenticated user") + logger.debug("no currently authenticated oidc user") - raise exceptions.HttpProblemException.unauthorized(req.url) + return None -def persist_auth_state( +def persist_oidc_auth_state( oidc_client: OpenidClient, resp: Response, tokens: TokenSuccessResponse, @@ -118,7 +119,7 @@ def persist_auth_state( ) -def clear_auth_state(resp: Response): +def clear_oidc_auth_state(resp: Response): resp.set_cookie("access_token", "", max_age=0) resp.set_cookie("refresh_token", "", max_age=0) resp.set_cookie("id_token", "", max_age=0) @@ -128,7 +129,39 @@ def clear_auth_state(resp: Response): resp.set_cookie("auth_start_time", "", max_age=0) -CurrentUser = Annotated[Optional[models.CurrentUser], Depends(get_current_user)] +async def get_api_user( + req: Request, resp: Response, oidc_client: OpenidClient +) -> models.ApiUser: + oidc_user = await get_logged_in_oidc_user(req, resp, oidc_client) + # TODO: Implement API user based on static tokens + if oidc_user is not None: + return oidc_user + else: + return models.ApiUser( + is_anonymous=True, + is_ccchh_user=False, + is_token_user=False, + may_operate_locks=False, + username="anonymous", + guaranteed_session_until=None, + raw_id_token=None, + ) + + +ApiUser = Annotated[models.ApiUser, Depends(get_api_user)] + + +async def get_authenticated_user( + req: Request, resp: Response, oidc_client: OpenidClient +) -> models.ApiUser: + user = await get_api_user(req, resp, oidc_client) + if user.is_anonymous: + raise exceptions.HttpProblemException.unauthorized(req.url) + else: + return user + + +AuthenticatedUser = Annotated[models.ApiUser, Depends(get_authenticated_user)] def get_ccujack(req: Request) -> CCUJackClient: diff --git a/api/src/dooris_api/models.py b/api/src/dooris_api/models.py index d1574c4..bfb741c 100644 --- a/api/src/dooris_api/models.py +++ b/api/src/dooris_api/models.py @@ -1,6 +1,6 @@ -from typing import Optional, Literal, List -from datetime import datetime -from pydantic import BaseModel, HttpUrl +from typing import Optional, Literal, Self +from datetime import datetime, UTC +from pydantic import BaseModel, HttpUrl, Field from enum import Enum from simple_openid_connect.data import IdToken @@ -27,24 +27,27 @@ class HttpProblemDetail(BaseModel): instance: Optional[HttpUrl] -class CurrentUser(BaseModel): - id_token: IdToken - raw_id_token: str - - @property - def ccchh_roles(self) -> List[str]: - return getattr(self.id_token, "ccchh-roles", []) - - @property - def may_operate_locks(self) -> bool: - return "intern@" in self.ccchh_roles - - -class UserStatus(BaseModel): - is_authorized: bool - guaranteed_session_until: datetime +class ApiUser(BaseModel): + is_anonymous: bool + is_ccchh_user: bool + is_token_user: bool + may_operate_locks: bool username: str - ccchh_roles: List[str] + guaranteed_session_until: Optional[datetime] + + raw_id_token: Optional[str] = Field(exclude=True) + + @classmethod + def from_id_token(cls, id_token: IdToken, raw_id_token: str) -> Self: + return cls( + is_anonymous=False, + is_ccchh_user=True, + is_token_user=False, + may_operate_locks="intern@" in getattr(id_token, "ccchh-roles", []), + username=id_token.preferred_username, + guaranteed_session_until=datetime.fromtimestamp(id_token.exp, UTC), + raw_id_token=raw_id_token, + ) class LockStatus(BaseModel): From 186ab662fb0913a3bf1be33b953da3954431896a Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 28 May 2026 17:31:06 +0200 Subject: [PATCH 19/25] api: implement static dooris tokens --- api/src/dooris_api/__init__.py | 3 ++- api/src/dooris_api/deps.py | 40 +++++++++++++++++++++++++++++----- 2 files changed, 37 insertions(+), 6 deletions(-) diff --git a/api/src/dooris_api/__init__.py b/api/src/dooris_api/__init__.py index 618ce97..cdf4d67 100644 --- a/api/src/dooris_api/__init__.py +++ b/api/src/dooris_api/__init__.py @@ -78,9 +78,10 @@ def main(): required=False, nargs=1, action="append", - default=[], + default=[i for i in os.environ.get("DOORIS_STATIC_API_TOKENS", "").split(",") if bool(i)], ) args = argp.parse_args() + print(args.static_api_tokens) # setup logging logging.basicConfig( diff --git a/api/src/dooris_api/deps.py b/api/src/dooris_api/deps.py index c611b5d..b82ae05 100644 --- a/api/src/dooris_api/deps.py +++ b/api/src/dooris_api/deps.py @@ -1,11 +1,12 @@ -from typing import Annotated, Optional, Tuple +from typing import Annotated, Optional import logging from datetime import datetime, UTC, timedelta -from fastapi import Request, Depends, Response +from fastapi import Request, Depends, Response, Header +from fastapi.security import APIKeyHeader from simple_openid_connect.data import TokenSuccessResponse from simple_openid_connect.client import OpenidClient -from simple_openid_connect.exceptions import ValidationError +from dooris_api import app_config from dooris_api import models, exceptions from dooris_api.ccujack import CCUJackClient @@ -13,6 +14,9 @@ from dooris_api.ccujack import CCUJackClient logger = logging.getLogger(__name__) +api_key_security_scheme = APIKeyHeader(name="Authorization", scheme_name="Static-Token", auto_error=False) + + async def get_oidc_client(req: Request) -> OpenidClient: return req.app.extra["oidc_client"] @@ -129,13 +133,39 @@ def clear_oidc_auth_state(resp: Response): resp.set_cookie("auth_start_time", "", max_age=0) +def get_logged_in_token_user(req: Request, token: Optional[str]): + if not token or not token.startswith("Static-Token "): + logger.debug("No valid API-Token was provided") + return None + + token = token.removeprefix("Static-Token ") + valid_tokens = app_config.get().static_api_tokens + + if any((i == token for i in valid_tokens)): + logger.debug("Successfully authenticated a static API-Token") + return models.ApiUser( + is_anonymous=False, + is_ccchh_user=False, + is_token_user=True, + may_operate_locks=True, + username="static-token", + guaranteed_session_until=None, + raw_id_token=None, + ) + + return None + + async def get_api_user( - req: Request, resp: Response, oidc_client: OpenidClient + req: Request, resp: Response, oidc_client: OpenidClient, token: Annotated[Optional[str], Depends(api_key_security_scheme)] = None ) -> models.ApiUser: oidc_user = await get_logged_in_oidc_user(req, resp, oidc_client) - # TODO: Implement API user based on static tokens + token_user = get_logged_in_token_user(req, token) + if oidc_user is not None: return oidc_user + elif token_user is not None: + return token_user else: return models.ApiUser( is_anonymous=True, From 99668e2a33f9188dd2284424ad1c8ee7b261e98f Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 28 May 2026 17:53:15 +0200 Subject: [PATCH 20/25] document current api parameters in README --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index f83e55d..7cf569f 100644 --- a/README.md +++ b/README.md @@ -26,8 +26,10 @@ THe following table lists all available configuration parameters: | `--base-url` | `DOORIS_BASE_URL` | Yes | *None* | | `--serve-static` | `DOORIS_SERVE_STATIC` | No | *None* | | `--ccujack-url` | `DOORIS_CCUJACK_URL` | No | `https://hmdooris-ccu.ccchh.net:2122` | +| `--ccujack-mqtt` | `DOORIS_CCUJACK_MQTT` | No | `hmdooris-ccu.ccchh.net:1883` | | `--ccujack-user` | `DOORIS_CCUJACK_USER` | Yes | *None* | | `--ccujack-password` | `DOORIS_CCUJACK_PASSWORD` | Yes | *None* | +| `--static-api-tokens` | `DOORIS_STATIC_API_TOKENS` | No | *None* | ## API Development From 2e1742279d919400bfbd976ce04f3642db7ab9aa Mon Sep 17 00:00:00 2001 From: kritzl Date: Fri, 29 May 2026 09:57:04 +0200 Subject: [PATCH 21/25] update frontend to match new user-info endpoint --- app/src/api/README.md | 2 +- app/src/api/schema.ts | 40 ++++++++++++++++------------------------ app/src/assets/main.ts | 8 +++++--- 3 files changed, 22 insertions(+), 28 deletions(-) diff --git a/app/src/api/README.md b/app/src/api/README.md index 256986b..6dc22f0 100644 --- a/app/src/api/README.md +++ b/app/src/api/README.md @@ -1,3 +1,3 @@ # Update schema -`pnpm dlx openapi-typescript http://localhost:8000/openapi.json -o ./schema.ts` +`pnpm dlx openapi-typescript http://localhost:8000/api/openapi.json -o ./schema.ts` diff --git a/app/src/api/schema.ts b/app/src/api/schema.ts index 4f4b938..50495c9 100644 --- a/app/src/api/schema.ts +++ b/app/src/api/schema.ts @@ -127,6 +127,21 @@ export interface paths { export type webhooks = Record; export interface components { schemas: { + /** ApiUser */ + ApiUser: { + /** Is Anonymous */ + is_anonymous: boolean; + /** Is Ccchh User */ + is_ccchh_user: boolean; + /** Is Token User */ + is_token_user: boolean; + /** May Operate Locks */ + may_operate_locks: boolean; + /** Username */ + username: string; + /** Guaranteed Session Until */ + guaranteed_session_until: string | null; + }; /** HTTPValidationError */ HTTPValidationError: { /** Detail */ @@ -193,20 +208,6 @@ export interface components { */ activity_state: "unknown" | "locking" | "unlocking" | "stable"; }; - /** UserStatus */ - UserStatus: { - /** Is Authorized */ - is_authorized: boolean; - /** - * Guaranteed Session Until - * Format: date-time - */ - guaranteed_session_until: string; - /** Username */ - username: string; - /** Ccchh Roles */ - ccchh_roles: string[]; - }; /** ValidationError */ ValidationError: { /** Location */ @@ -244,16 +245,7 @@ export interface operations { [name: string]: unknown; }; content: { - "application/json": components["schemas"]["UserStatus"]; - }; - }; - /** @description Unauthorized */ - 401: { - headers: { - [name: string]: unknown; - }; - content: { - "application/json": components["schemas"]["HttpProblemDetail"]; + "application/json": components["schemas"]["ApiUser"]; }; }; }; diff --git a/app/src/assets/main.ts b/app/src/assets/main.ts index 205f64f..82594c6 100644 --- a/app/src/assets/main.ts +++ b/app/src/assets/main.ts @@ -93,13 +93,15 @@ async function checkUser() { const {data: userInfo} = await getUserInfo({}) apiError.current = null - auth.authenticated = true - auth.authorized = userInfo.is_authorized + auth.authenticated = !userInfo.is_anonymous + auth.authorized = userInfo.may_operate_locks auth.until = userInfo.guaranteed_session_until ? new Date(userInfo.guaranteed_session_until) : null auth.username = userInfo.username ?? "" auth.recentLogout = false - triggerAuthTimeout() + if (auth.authenticated) { + triggerAuthTimeout() + } } catch (e) { // check which operation threw the exception if (e instanceof getUserInfo.Error) { From b75288881283c679ab593f9d3c7f6001e41dae95 Mon Sep 17 00:00:00 2001 From: lilly Date: Sun, 31 May 2026 20:53:14 +0200 Subject: [PATCH 22/25] api: fix mqtt reconnect logic errors --- api/src/dooris_api/ccujack.py | 9 ++++++--- api/src/dooris_api/mqtt_client.py | 26 +++++++++++++++++--------- 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/api/src/dooris_api/ccujack.py b/api/src/dooris_api/ccujack.py index 03d0480..a6b0640 100644 --- a/api/src/dooris_api/ccujack.py +++ b/api/src/dooris_api/ccujack.py @@ -162,15 +162,18 @@ class CCUJackClient: while True: try: - await asyncio.sleep(15 * 60) # 15 minutes logger.info("Running CCUJack cron") - await self.find_locks() - if not self.mqtt.is_connected(): + if not self.mqtt.is_connected: logger.warning("MQTT client was discovered to be disconnected; reconnecting now") await self.mqtt.connect() + await self.find_locks() + except Exception as e: logger.exception(f"Error in CCUJack cron task: {e}") + finally: + await asyncio.sleep(15 * 60) # 15 minutes + async def query_param_value(self, address: str) -> CCUValue: if address in self.param_values: diff --git a/api/src/dooris_api/mqtt_client.py b/api/src/dooris_api/mqtt_client.py index 3df1f19..a090c5f 100644 --- a/api/src/dooris_api/mqtt_client.py +++ b/api/src/dooris_api/mqtt_client.py @@ -128,19 +128,21 @@ class AsyncMqttClient: to_add = topics.difference(self.active_subscriptions) if to_add: - logger.info(f"mqtt client subscribing to topics {', '.join(to_add)}") - self.fut_subscribe = asyncio.get_running_loop().create_future() - self.client.subscribe([(i, qos) for i in to_add]) - await self.fut_subscribe self.active_subscriptions.update(to_add) + if self.is_connected: + logger.info(f"mqtt client subscribing to topics {', '.join(to_add)}") + self.fut_subscribe = asyncio.get_running_loop().create_future() + self.client.subscribe([(i, qos) for i in to_add]) + await self.fut_subscribe to_remove = self.active_subscriptions.difference(topics) if to_remove: - logger.info(f"mqtt client unsubscribing from topics {','.join(to_remove)}") - self.fut_unsubscribe = asyncio.get_running_loop().create_future() - self.client.unsubscribe(list(to_remove)) - await self.fut_unsubscribe self.active_subscriptions.difference_update(to_remove) + if self.is_connected: + logger.info(f"mqtt client unsubscribing from topics {','.join(to_remove)}") + self.fut_unsubscribe = asyncio.get_running_loop().create_future() + self.client.unsubscribe(list(to_remove)) + await self.fut_unsubscribe async def connect(self): server_host, server_port = self.connection_string.rsplit(":", maxsplit=1) @@ -157,13 +159,19 @@ class AsyncMqttClient: # re-establish all supposed mqtt subscriptions if len(self.active_subscriptions) > 0: qos = 1 - await self.client.subscribe((i, qos) for i in self.active_subscriptions) + self.fut_subscribe = asyncio.get_running_loop().create_future() + self.client.subscribe([(i, qos) for i in self.active_subscriptions]) + await self.fut_subscribe async def disconnect(self): + if not self.is_connected: + return + logger.info("Disconnecting mqtt client from broker") self.fut_disconnect = asyncio.get_running_loop().create_future() self.client.disconnect() await self.fut_disconnect + @property def is_connected(self) -> bool: return self.client.is_connected() From 64ab73e9c30fce5c82c8599c407605fdad223ade Mon Sep 17 00:00:00 2001 From: lilly Date: Sun, 31 May 2026 20:53:14 +0200 Subject: [PATCH 23/25] api: initialize ccujack asynchonously via immedietaly running cron --- api/src/dooris_api/ccujack.py | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/api/src/dooris_api/ccujack.py b/api/src/dooris_api/ccujack.py index a6b0640..de08bbf 100644 --- a/api/src/dooris_api/ccujack.py +++ b/api/src/dooris_api/ccujack.py @@ -90,15 +90,12 @@ class CCUJackClient: self.data_updated = asyncio.Event() async def start(self): - await self.mqtt.connect() - await self.find_locks() - - self.task_cron= asyncio.get_running_loop().create_task( - self.cron(), name="ccujack-cron" - ) self.task_process_messages = asyncio.get_running_loop().create_task( self.process_mqt_messages(), name="process-mqtt-messages" ) + self.task_cron= asyncio.get_running_loop().create_task( + self.cron(), name="ccujack-cron" + ) async def close_connections(self): await asyncio.gather(self.mqtt.disconnect(), self.http.close()) From 279a45a9e8259b28c3fe6dff546ee613771426dc Mon Sep 17 00:00:00 2001 From: lilly Date: Sun, 31 May 2026 20:53:14 +0200 Subject: [PATCH 24/25] api: don't print static tokens on startup (was only for debugging) --- api/src/dooris_api/__init__.py | 1 - 1 file changed, 1 deletion(-) diff --git a/api/src/dooris_api/__init__.py b/api/src/dooris_api/__init__.py index cdf4d67..203d379 100644 --- a/api/src/dooris_api/__init__.py +++ b/api/src/dooris_api/__init__.py @@ -81,7 +81,6 @@ def main(): default=[i for i in os.environ.get("DOORIS_STATIC_API_TOKENS", "").split(",") if bool(i)], ) args = argp.parse_args() - print(args.static_api_tokens) # setup logging logging.basicConfig( From 914a4497c7f48e88aaec34e1cedde61e860d1d1c Mon Sep 17 00:00:00 2001 From: lilly Date: Sun, 31 May 2026 22:02:39 +0200 Subject: [PATCH 25/25] api: implement automatic ssh key fetching from keycloak --- .dev.env | 1 + .gitignore | 1 + api/src/dooris_api/__init__.py | 13 ++++++ api/src/dooris_api/app.py | 10 ++++ api/src/dooris_api/ccujack.py | 3 ++ api/src/dooris_api/keycloak.py | 83 ++++++++++++++++++++++++++++++++++ 6 files changed, 111 insertions(+) create mode 100644 api/src/dooris_api/keycloak.py diff --git a/.dev.env b/.dev.env index eb77b35..59f4383 100644 --- a/.dev.env +++ b/.dev.env @@ -3,3 +3,4 @@ DOORIS_OPENID_CLIENT_ID=dooris DOORIS_OPENID_CLIENT_SECRET=dp9HhnvUhAtKm3pRnxfGA7q8Nwrd1td8 DOORIS_BASE_URL=http://localhost:8000 DOORIS_CCUJACK_USER=dooris +DOORIS_AUTHORIZED_KEYS_FILE=./authorized_keys diff --git a/.gitignore b/.gitignore index 4ad5c33..7b869c5 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,5 @@ .env **/__pycache__ +**/authorized_keys api/dist diff --git a/api/src/dooris_api/__init__.py b/api/src/dooris_api/__init__.py index 203d379..10d1ff5 100644 --- a/api/src/dooris_api/__init__.py +++ b/api/src/dooris_api/__init__.py @@ -1,5 +1,6 @@ import os import logging +from pathlib import Path from contextvars import ContextVar from argparse import ArgumentParser, Namespace @@ -80,6 +81,18 @@ def main(): action="append", default=[i for i in os.environ.get("DOORIS_STATIC_API_TOKENS", "").split(",") if bool(i)], ) + argp.add_argument( + "--kc-ssh-attr-group", + required=False, + default=os.environ.get("DOORIS_KC_SSH_ATTR_GROUP", "dooris-ssh-keys"), + ) + argp.add_argument( + "--authorized-keys-file", + required="DOORIS_AUTHORIZED_KEYS_FILE" not in os.environ, + default=os.environ.get("DOORIS_AUTHORIZED_KEYS_FILE", None), + type=Path, + help="A file to which ssh authorized keys fetched from keycloak will be written", + ) args = argp.parse_args() # setup logging diff --git a/api/src/dooris_api/app.py b/api/src/dooris_api/app.py index 0a33704..73cab3d 100644 --- a/api/src/dooris_api/app.py +++ b/api/src/dooris_api/app.py @@ -13,6 +13,7 @@ from aiohttp import BasicAuth from dooris_api import deps, models, exceptions, app_config from dooris_api.ccujack import CCUJackClient +from dooris_api.keycloak import KeycloakClient logger = logging.getLogger(__name__) @@ -37,9 +38,18 @@ async def lifespan(app: FastAPI): ) await app.extra["ccujack"].start() + app.extra["keycloak"] = KeycloakClient( + base_uri=app_cfg.openid_issuer, + oidc_client=app.extra["oidc_client"], + keycloak_attribute_group=app_cfg.kc_ssh_attr_group, + authorized_keys_file=app_cfg.authorized_keys_file, + ) + app.extra["keycloak"].start() + yield await app.extra["ccujack"].close_connections() + await app.extra["keycloak"].stop() app = FastAPI( diff --git a/api/src/dooris_api/ccujack.py b/api/src/dooris_api/ccujack.py index de08bbf..8cf767f 100644 --- a/api/src/dooris_api/ccujack.py +++ b/api/src/dooris_api/ccujack.py @@ -166,6 +166,9 @@ class CCUJackClient: await self.find_locks() + except asyncio.CancelledError: + logger.info("CCUJack task cron stopped") + raise except Exception as e: logger.exception(f"Error in CCUJack cron task: {e}") finally: diff --git a/api/src/dooris_api/keycloak.py b/api/src/dooris_api/keycloak.py new file mode 100644 index 0000000..ea614d1 --- /dev/null +++ b/api/src/dooris_api/keycloak.py @@ -0,0 +1,83 @@ +from typing import List +from aiohttp import ClientSession, ClientRequest, ClientHandlerType, ClientResponse +import asyncio +import logging +from pathlib import Path +from simple_openid_connect.client import OpenidClient +from simple_openid_connect.data import TokenErrorResponse + + +logger = logging.getLogger(__name__) + + +class ClientCredentialsAuth: + def __init__(self, oidc_client: OpenidClient): + self.oidc_client = oidc_client + + async def __call__(self, req: ClientRequest, handler: ClientHandlerType) -> ClientResponse: + resp = self.oidc_client.client_credentials_grant.authenticate() + if isinstance(resp, TokenErrorResponse): + raise Exception(f"Could not authenticate against keycloak with client-credentials-grant: {resp.error} ({resp.error_description})") + + req.headers["Authorization"] = f"Bearer {resp.access_token}" + return await handler(req) + + +class KeycloakClient: + keycloak_attribute_group: str + authorized_keys_file: Path + ssh_keys: List[str] + data_updated: asyncio.Event + task_cron = asyncio.Task + + def __init__(self, base_uri: str, oidc_client: OpenidClient, keycloak_attribute_group: str, authorized_keys_file: Path): + self.base_uri: str + self.keycloak_attribute_group = keycloak_attribute_group + self.ssh_keys = [] + self.data_updated = asyncio.Event() + self.authorized_keys_file = authorized_keys_file + self.http = ClientSession( + base_url=base_uri, + middlewares=[ClientCredentialsAuth(oidc_client)], + raise_for_status=True, + ) + + def start(self): + self.task_cron = asyncio.get_running_loop().create_task(self.cron(), name="keycloak-cron") + + async def stop(self): + await self.http.close() + self.task_cron.cancel() + self.task_cron = None + + async def cron(self): + while True: + try: + + logger.info("Running keycloak cron") + await self.fetch_ssh_keys() + await self.write_authorized_keys() + + except asyncio.CancelledError: + logger.info("keycloak cron stopped") + raise + except Exception as e: + logger.exception(f"Error in Keycloak cron task: {e}") + finally: + await asyncio.sleep(15 * 60) # 15 minutes + + async def fetch_ssh_keys(self): + logger.info("Fetching ssh keys from keycloak") + async with self.http.get(f"./attribute-endpoints-provider/export/{self.keycloak_attribute_group}") as resp: + keys = await resp.json() + assert isinstance(keys, list) + self.ssh_keys = keys + self.data_updated.set() + self.data_updated.clear() + + async def write_authorized_keys(self): + logger.info(f"Writing authorized keys to {self.authorized_keys_file.absolute()}") + with self.authorized_keys_file.open(mode="wt", encoding="UTF-8") as f: + f.writelines(self.ssh_keys) + +