Skip to main content

systemprompt_cli/commands/admin/session/
login.rs

1use std::path::Path;
2use std::sync::Arc;
3
4use anyhow::{Context, Result};
5use chrono::Duration as ChronoDuration;
6use clap::Args;
7use serde::{Deserialize, Serialize};
8
9use crate::cli_settings::CliConfig;
10use crate::paths::ResolvedPaths;
11use crate::shared::CommandOutput;
12use systemprompt_agent::repository::context::ContextRepository;
13use systemprompt_cloud::SessionKey;
14use systemprompt_config::{ProfileBootstrap, SecretsBootstrap};
15use systemprompt_database::{Database, DbPool};
16use systemprompt_identifiers::{ContextId, SessionId, SessionToken, UserId};
17use systemprompt_logging::CliService;
18use systemprompt_models::auth::{Permission, RateLimitTier, UserType};
19use systemprompt_models::{Profile, Secrets};
20use systemprompt_security::{SessionGenerator, SessionParams};
21use systemprompt_users::{User, UserRole};
22
23use super::login_helpers::{
24    SessionStoreParams, fetch_admin_user, save_session_to_store, try_use_existing_session,
25};
26use crate::session::api::create_local_session_row;
27
28#[derive(Debug, Args)]
29pub struct LoginArgs {
30    #[arg(
31        long,
32        env = "SYSTEMPROMPT_ADMIN_EMAIL",
33        hide = true,
34        help = "Override email from credentials"
35    )]
36    pub email: Option<String>,
37
38    #[arg(long, default_value = "24", help = "Session duration in hours")]
39    pub duration_hours: i64,
40
41    #[arg(long, help = "Only output the token (for scripting)")]
42    pub token_only: bool,
43
44    #[arg(
45        long,
46        help = "Force creation of a new session even if a valid one exists"
47    )]
48    pub force_new: bool,
49}
50
51#[derive(Debug, Clone, Serialize, Deserialize)]
52pub struct LoginOutput {
53    pub status: String,
54    pub user_id: UserId,
55    pub email: String,
56    pub session_id: SessionId,
57    pub expires_in_hours: i64,
58}
59
60pub async fn execute(args: LoginArgs, _config: &CliConfig) -> Result<CommandOutput> {
61    let profile = ProfileBootstrap::get().context("No profile loaded")?;
62    let profile_path = ProfileBootstrap::get_path().context("Profile path not set")?;
63    let secrets = SecretsBootstrap::get().context("Secrets not initialized")?;
64
65    login_for_profile(profile, profile_path, secrets, &args).await
66}
67
68pub async fn login_for_profile(
69    profile: &Profile,
70    profile_path: &str,
71    secrets: &Secrets,
72    args: &LoginArgs,
73) -> Result<CommandOutput> {
74    let sessions_dir = ResolvedPaths::discover().sessions_dir();
75    let session_key = session_key_for_profile(profile);
76
77    let database_url = secrets.effective_database_url(profile.database.external_db_access);
78
79    let db = Database::new_postgres(database_url)
80        .await
81        .context("Failed to connect to database")?;
82    let db_pool = DbPool::from(Arc::new(db));
83
84    if !args.force_new
85        && let Some(output) =
86            try_use_existing_session(&sessions_dir, &session_key, args, &db_pool).await?
87    {
88        return Ok(output);
89    }
90
91    let admin_name = &profile.system_admin.username;
92    progress(args, &format!("Fetching admin user: {admin_name}"));
93    let admin_user = fetch_admin_user(
94        &db_pool,
95        admin_name,
96        profile.target.is_cloud(),
97        args.email.as_deref(),
98    )
99    .await?;
100
101    progress(args, "Creating session...");
102    let session_id = create_local_session_row(&db_pool, &admin_user.id).await?;
103
104    progress(args, "Creating context...");
105    let context_id =
106        create_cli_context(&db_pool, &admin_user.id, &session_id, profile_path).await?;
107
108    progress(args, "Generating token...");
109    let session_token = generate_session_token(profile, args, &admin_user, &session_id)?;
110
111    save_session_to_store(SessionStoreParams {
112        sessions_dir: &sessions_dir,
113        session_key: &session_key,
114        profile_path,
115        session_token: session_token.clone(),
116        session_id: session_id.clone(),
117        context_id,
118        user_id: admin_user.id.clone(),
119        user_email: &admin_user.email,
120        user_type: UserType::Admin,
121    })?;
122
123    let output = LoginOutput {
124        status: "created".to_owned(),
125        user_id: admin_user.id.clone(),
126        email: admin_user.email.clone(),
127        session_id,
128        expires_in_hours: args.duration_hours,
129    };
130
131    if args.token_only {
132        CliService::output(session_token.as_str());
133        return Ok(CommandOutput::card_value("Admin Session", &output).with_skip_render());
134    }
135
136    CliService::success(&format!(
137        "Session saved to {}/index.json",
138        sessions_dir.display()
139    ));
140    Ok(CommandOutput::card_value("Admin Session", &output))
141}
142
143fn progress(args: &LoginArgs, message: &str) {
144    if !args.token_only {
145        CliService::info(message);
146    }
147}
148
149async fn create_cli_context(
150    db_pool: &DbPool,
151    user_id: &UserId,
152    session_id: &SessionId,
153    profile_path: &str,
154) -> Result<ContextId> {
155    let profile_name = Path::new(profile_path)
156        .parent()
157        .and_then(|d| d.file_name())
158        .and_then(|n| n.to_str())
159        .unwrap_or("unknown");
160
161    let context_repo = ContextRepository::new(db_pool)?;
162    context_repo
163        .create_context(
164            user_id,
165            Some(session_id),
166            &format!("CLI Session - {}", profile_name),
167        )
168        .await
169        .context("Failed to create CLI context")
170}
171
172fn generate_session_token(
173    profile: &Profile,
174    args: &LoginArgs,
175    admin_user: &User,
176    session_id: &SessionId,
177) -> Result<SessionToken> {
178    let session_generator = SessionGenerator::new(&profile.security.issuer);
179    session_generator
180        .generate(&SessionParams {
181            user_id: &admin_user.id,
182            session_id,
183            email: &admin_user.email,
184            duration: ChronoDuration::hours(args.duration_hours),
185            user_type: UserType::Admin,
186            permissions: vec![Permission::Admin],
187            roles: vec![UserRole::Admin.as_str().to_owned()],
188            attributes: std::collections::BTreeMap::new(),
189            rate_limit_tier: RateLimitTier::Admin,
190        })
191        .context("Failed to generate session token")
192}
193
194fn session_key_for_profile(profile: &Profile) -> SessionKey {
195    if profile.target.is_local() {
196        SessionKey::Local
197    } else {
198        let tenant_id = profile.cloud.as_ref().and_then(|c| c.tenant_id.as_ref());
199        SessionKey::from_tenant_id(tenant_id)
200    }
201}