feat(CLI-63): auth middleware for token validation and namespace isolation

backend/api/server_fastapi_router.py

@@ -5,10 +5,19 @@
 
 import modal
 from fastapi import APIRouter, File, Form, HTTPException, UploadFile
+from pydantic import BaseModel
 
 logger = logging.getLogger(__name__)
 
 
+class AuthorizeDeviceRequest(BaseModel):
+    """Request body for device code authorization."""
+    user_code: str
+    user_id: str
+    id_token: str
+    refresh_token: str
+
+
 class ServerFastAPIRouter:
     """
     FastAPI router for the Server service.
@@ -93,6 +102,7 @@ def _register_routes(self):
         self.router.add_api_route("/cache/clear", self.clear_cache, methods=["POST"])
         self.router.add_api_route("/auth/device/code", self.request_device_code, methods=["POST"])
         self.router.add_api_route("/auth/device/poll", self.poll_device_code, methods=["POST"])
+        self.router.add_api_route("/auth/device/authorize", self.authorize_device_code, methods=["POST"])
 
     async def health(self):
         """
@@ -355,3 +365,38 @@ async def poll_device_code(self, device_code: str):
         except Exception as e:
             logger.error(f"[Device Poll] Error polling device code: {e}")
             raise HTTPException(status_code=500, detail=str(e))
+
+    async def authorize_device_code(self, request: AuthorizeDeviceRequest):
+        try:
+            # Look up device_code by user_code
+            device_code = self.server_instance.auth_connector.get_device_code_by_user_code(request.user_code)
+
+            if device_code is None:
+                raise HTTPException(
+                    status_code=404,
+                    detail="User code not found or expired"
+                )
+
+            # Mark device code as authorized with user tokens
+            success = self.server_instance.auth_connector.set_device_code_authorized(
+                device_code=device_code,
+                user_id=request.user_id,
+                id_token=request.id_token,
+                refresh_token=request.refresh_token
+            )
+
+            if not success:
+                raise HTTPException(
+                    status_code=500,
+                    detail="Failed to authorize device code"
+                )
+
+            logger.info(f"[Device Authorize] User code {request.user_code} authorized for user {request.user_id}")
+
+            return {"status": "success"}
+
+        except HTTPException:
+            raise
+        except Exception as e:
+            logger.error(f"[Device Authorize] Error authorizing device code: {e}")
+            raise HTTPException(status_code=500, detail=str(e))

backend/services/http_server.py

@@ -73,8 +73,19 @@ def create_fastapi_app(self, processing_service_cls=None):
         """
         from api import ServerFastAPIRouter
         from fastapi import FastAPI
+        from fastapi.middleware.cors import CORSMiddleware
 
         self.fastapi_app = FastAPI(title="Clipabit Server")
+
+        # Add CORS middleware for testing
+        self.fastapi_app.add_middleware(
+            CORSMiddleware,
+            allow_origins=["*"],
+            allow_credentials=True,
+            allow_methods=["*"],
+            allow_headers=["*"],
+        )
+
         api_router = ServerFastAPIRouter(
             server_instance=self,
             is_file_change_enabled=self.is_file_change_enabled,