Senko-san
7a17e3babd
Subsonic auth (t=md5(password+salt), legacy p=) needs a recoverable secret, but login passwords are stored as a one-way argon2 hash. Add a separate, per-user app-password: high-entropy, random, and encrypted at rest with a Fernet key derived from SUBSONIC_SECRET_KEY (never stored in the DB). - SubsonicPasswordCipher + generate_subsonic_password in core.security - users.subsonic_password_enc column (+ Alembic migration), repo + port methods - SubsonicAuthService: verify (t+s / p / p=enc:) and rotate/reveal lifecycle - self-service GET/POST /users/me/subsonic-password + admin rotate endpoint - domain SubsonicCredentials + SubsonicCipher port; deps wiring Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
100 lines
2.3 KiB
TOML
100 lines
2.3 KiB
TOML
[project]
|
|
name = "mcma-backend"
|
|
version = "0.1.0"
|
|
description = "Self-hosted, offline-first music service — backend (hexagonal architecture)"
|
|
requires-python = ">=3.14"
|
|
dependencies = [
|
|
# web
|
|
"fastapi>=0.115",
|
|
"uvicorn[standard]>=0.32",
|
|
"python-multipart>=0.0.12",
|
|
# data
|
|
"sqlalchemy[asyncio]>=2.0.36",
|
|
"asyncpg>=0.30",
|
|
"alembic>=1.14",
|
|
# config / validation
|
|
"pydantic>=2.10",
|
|
"pydantic-settings>=2.6",
|
|
# cache / queue
|
|
"redis>=5.2",
|
|
"arq>=0.26",
|
|
# auth
|
|
"pyjwt>=2.10",
|
|
"pwdlib[argon2]>=0.2.1",
|
|
# symmetric encryption for the recoverable Subsonic app-password (Fernet)
|
|
"cryptography>=44.0",
|
|
# outbound http (ML client, MusicBrainz, AcoustID)
|
|
"httpx>=0.28",
|
|
# S3-compatible object storage
|
|
"aioboto3>=13.0",
|
|
# logging
|
|
"structlog>=24.4",
|
|
]
|
|
|
|
[project.scripts]
|
|
mcma = "app.cli:main"
|
|
|
|
[dependency-groups]
|
|
dev = [
|
|
"pytest>=8.3",
|
|
"pytest-asyncio>=0.24",
|
|
"ruff>=0.8",
|
|
"mypy>=1.13",
|
|
"asgi-lifespan>=2.1",
|
|
]
|
|
|
|
[tool.uv]
|
|
package = true
|
|
|
|
[build-system]
|
|
requires = ["hatchling"]
|
|
build-backend = "hatchling.build"
|
|
|
|
[tool.hatch.build.targets.wheel]
|
|
packages = ["app"]
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Tooling
|
|
# ---------------------------------------------------------------------------
|
|
[tool.ruff]
|
|
target-version = "py314"
|
|
line-length = 100
|
|
src = ["app", "tests"]
|
|
|
|
[tool.ruff.lint]
|
|
select = [
|
|
"E", "F", "W", # pycodestyle / pyflakes
|
|
"I", # isort
|
|
"N", # pep8-naming
|
|
"UP", # pyupgrade
|
|
"B", # bugbear
|
|
"ASYNC", # async pitfalls
|
|
"RUF",
|
|
]
|
|
ignore = ["B008"] # FastAPI Depends() in defaults is idiomatic
|
|
|
|
[tool.ruff.lint.per-file-ignores]
|
|
# Subsonic query params are camelCase by spec (artistCount, songId, …); the
|
|
# handler arg names must match the wire names exactly.
|
|
"app/api/rest/*" = ["N803"]
|
|
|
|
[tool.mypy]
|
|
python_version = "3.14"
|
|
strict = true
|
|
plugins = ["pydantic.mypy"]
|
|
warn_unused_ignores = true
|
|
disallow_untyped_defs = true
|
|
|
|
[[tool.mypy.overrides]]
|
|
module = ["arq.*"]
|
|
ignore_missing_imports = true
|
|
|
|
[[tool.mypy.overrides]]
|
|
module = ["aioboto3.*", "aiobotocore.*", "botocore.*"]
|
|
ignore_missing_imports = true
|
|
|
|
[tool.pytest.ini_options]
|
|
asyncio_mode = "auto"
|
|
testpaths = ["tests"]
|
|
addopts = "-ra"
|