Harden web control auth and upload inputs

[ceej640]

Summary

• gate HTTP image and 3D volume upload routes with the existing control-role dependency
• validate uploaded array shape, dtype, byte count, and base64 before reshaping
• make /ws and /ws/agent use the same account/token role resolver as REST control routes
• let read-only launcher commands such as --sessions run without ANTHROPIC_API_KEY and avoid creating a hidden first-run admin password
• add focused tests for legacy token, account roles, route auth, and upload validation

Stacking

This branch is stacked on #23 so the full suite can collect. Once #23 merges into 0.22-dev, this PR should reduce to the auth/upload hardening commit.

Verification

• uv run pytest tests/test_web_auth_hardening.py tests/test_data_catalog.py -q
• uv run pytest -q
  • 561 passed, 4 skipped

[pskeshu]

We need a way to make it easier to add and manage users from the dispim gently server.

…

On Sat, 30 May 2026 at 20:49, ceej640 ***@***.***> wrote: Summary - gate HTTP image and 3D volume upload routes with the existing control-role dependency - validate uploaded array shape, dtype, byte count, and base64 before reshaping - make /ws and /ws/agent use the same account/token role resolver as REST control routes - let read-only launcher commands such as --sessions run without ANTHROPIC_API_KEY and avoid creating a hidden first-run admin password - add focused tests for legacy token, account roles, route auth, and upload validation Stacking This branch is stacked on #23 <https://github.com/pskeshu/gently/pull/23> so the full suite can collect. Once #23 <https://github.com/pskeshu/gently/pull/23> merges into 0.22-dev, this PR should reduce to the auth/upload hardening commit. Verification - uv run pytest tests/test_web_auth_hardening.py tests/test_data_catalog.py -q - uv run pytest -q - 561 passed, 4 skipped ------------------------------ You can view, comment on, or merge this pull request online at: https://github.com/pskeshu/gently/pull/24 Commit Summary - cb1ac02 <pskeshu@cb1ac02> Fix test suite collection and stale expectations - baec0b0 <pskeshu@baec0b0> Harden web control auth and upload inputs File Changes (12 files <https://github.com/pskeshu/gently/pull/24/files>) - *M* gently/harness/conversation.py <https://github.com/pskeshu/gently/pull/24/files#diff-632feaa216b8cc24e32645b92dc64a0783b6c9f26baeb7b4d8c7f5643930ee88> (41) - *M* gently/mesh/mesh_service.py <https://github.com/pskeshu/gently/pull/24/files#diff-73595f2a2a804444d1374305a1b1e2a55774e2ccbe20bfa23a5a72a462791d4e> (20) - *M* gently/ui/web/auth.py <https://github.com/pskeshu/gently/pull/24/files#diff-e8de334581b049c0d58073226bd4c94ec4a0dc4d611395cfd62894c750c147a9> (6) - *M* gently/ui/web/routes/agent_ws.py <https://github.com/pskeshu/gently/pull/24/files#diff-b3230d866b055a2ab95f323fb758497984f808143cf6a6f9a8ea2457f8838d84> (24) - *M* gently/ui/web/routes/images.py <https://github.com/pskeshu/gently/pull/24/files#diff-777448f3a67ac38c537e8109de457725830e98acf77ef4e3a03402d187b43a7a> (22) - *M* gently/ui/web/routes/volumes.py <https://github.com/pskeshu/gently/pull/24/files#diff-5d825452b79a6175692d4214638817cb0f2751da5117cf6c06be6919f54eacd2> (33) - *M* gently/ui/web/routes/websocket.py <https://github.com/pskeshu/gently/pull/24/files#diff-8fbe6b1e9e988922314110a778462a4a5f19c172fc3bf511b73284c63d6eb288> (16) - *A* gently/ui/web/upload_validation.py <https://github.com/pskeshu/gently/pull/24/files#diff-ac2dddd693ea6f3170dcd3811fdc530a8baccdb2728a9de0ac68082521ca0991> (59) - *M* launch_gently.py <https://github.com/pskeshu/gently/pull/24/files#diff-335563102d58e9513a827ad7a8e9a4f6c2814b2bd577cd4605b56a75996e3c4f> (22) - *M* tests/test_campaign_coordination.py <https://github.com/pskeshu/gently/pull/24/files#diff-a1bfd6d13f647b1bbfb7650d9b2c4a89560b01a96a56b8191de8d5b7831a7429> (8) - *M* tests/test_dispim_device_safety.py <https://github.com/pskeshu/gently/pull/24/files#diff-e3bc17744c2f44923aea78a254b613462a99a1307f2c6a5c04c94efdf45ce66e> (33) - *A* tests/test_web_auth_hardening.py <https://github.com/pskeshu/gently/pull/24/files#diff-58c3623d2290fd04862ec989ab95123f9cbda86bdbee3a2fcf111e19b33b0ebc> (110) Patch Links: - https://github.com/pskeshu/gently/pull/24.patch - https://github.com/pskeshu/gently/pull/24.diff — Reply to this email directly, view it on GitHub <https://github.com/pskeshu/gently/pull/24?email_source=notifications&email_token=ABVNN4CEGPL7ZUSKNPBSG3L45N6RLA5CNFSNUABEM5UWIORPF5TWS5BNNB2WEL2QOVWGYUTFOF2WK43UF4ZTONZVGI4DEMJRGWTHEZLBONXW5KTTOVRHGY3SNFRGKZFFMV3GK3TUVRTG633UMVZF6Y3MNFRWW>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABVNN4D4UEIM33Y36HTA3OT45N6RLAVCNFSM6AAAAACZUBHA22VHI2DSMVQWIX3LMV43ASLTON2WKOZUGU2TMMJWGA4DINI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- Kesavan

[ceej640]

Yes, I agree. This PR hardens the existing auth/upload surfaces, but it does not solve day-to-day account administration on the DiSPIM Gently server.

I would keep this PR scoped as the lower-level enforcement/auth correctness layer, then add user management as a separate operator/admin PR. The useful shape is probably:

• admin-only CLI commands for users list/add/disable/reset-password/set-role/rotate-token
• a small authenticated admin page for the same operations when someone is at the microscope server
• explicit roles such as admin, operator, and viewer
• no implicit first-run hidden credentials
• audit log entries for account changes
• a documented recovery path for a locked-out local server

That would make the server easier to operate without weakening the security hardening in this patch.

[ceej640]

Follow-up implemented from this thread in commit a81d15f.

What changed:

• Added account-store methods for role changes, password resets, and deletion, with last-admin protection.
• Added admin-only API routes to list, update, and delete web UI users.
• Added launcher CLI account management commands: --users, --add-user, --set-role, --reset-password, and --delete-user.
• Made the launcher import the agent lazily so account-management commands can run even when runtime dependencies like gently_perception are not installed.

Verification:

• python launch_gently.py --help
• pytest tests/test_web_auth_hardening.py -q -p no:cacheprovider

[ceej640]

Follow-up implemented from the user-management thread in commit 19577ab.

What changed:

• Added an admin-only /admin/users page for listing users, creating users, changing roles, resetting passwords, and deleting users.
• Added a header users link that appears only for signed-in admins.
• Kept the page backed by the existing admin-only account API from this PR.
• Prevented duplicate usernames from silently replacing an existing account.
• Updated the auth template route calls to the current Starlette request-first TemplateResponse form; the admin page test exposed that issue.

Verification:

• pytest tests/test_web_auth_hardening.py -q -p no:cacheprovider
• non-writing compile check for accounts.py and auth_routes.py
• git diff --check

Note: Node is not installed in this environment, so I could not run a separate JS syntax check. The admin route/template access path is covered by FastAPI TestClient.