github/OpenHands
1
0
Fork 0
mirror of https://github.com/OpenHands/OpenHands.git synced 2026-03-22 13:47:19 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
b98bae8b5ff8740b99f0be76b249562a0130cb0e
OpenHands/enterprise/server/email_validation.py
Hiep Le 030ff59c40 feat(backend): develop post /api/organizations api (org project) (#12263) 
Co-authored-by: rohitvinodmalhotra@gmail.com <rohitvinodmalhotra@gmail.com>
Co-authored-by: openhands <openhands@all-hands.dev>
Co-authored-by: Chuck Butkus <chuck@all-hands.dev>
2026-01-21 15:14:27 +07:00

69 lines
2.1 KiB
Python
Raw Blame History

"""
Email domain validation utilities for enterprise endpoints.
"""
from fastapi import Depends, HTTPException, Request, status
from openhands.core.logger import openhands_logger as logger
from openhands.server.user_auth import get_user_auth, get_user_id
async def get_admin_user_id(
request: Request, user_id: str | None = Depends(get_user_id)
) -> str:
"""
Dependency that validates user has @openhands.dev email domain.
This dependency can be used in place of get_user_id for endpoints that
should only be accessible to admin users. Currently, this is implemented
by checking for @openhands.dev email domain.
TODO: In the future, this should be replaced with an explicit is_admin flag
in user/org settings instead of relying on email domain validation.
Args:
request: FastAPI request object
user_id: User ID from get_user_id dependency
Returns:
str: User ID if email domain is valid
Raises:
HTTPException: 403 if email domain is not @openhands.dev
HTTPException: 401 if user is not authenticated
Example:
@router.post('/endpoint')
async def create_resource(
user_id: str = Depends(get_admin_user_id),
):
# Only admin users can access this endpoint
pass
"""
if not user_id:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail='User not authenticated',
)
user_auth = await get_user_auth(request)
user_email = await user_auth.get_user_email()
if not user_email:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail='User email not available',
)
if not user_email.endswith('@openhands.dev'):
logger.warning(
'Access denied - invalid email domain',
extra={'user_id': user_id, 'email_domain': user_email.split('@')[-1]},
)
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail='Access restricted to @openhands.dev users',
)
return user_id
Reference in New Issue View Git Blame Copy Permalink