systemprompt_cli/commands/admin/session/
login.rs1use std::path::Path;
2use std::sync::Arc;
3
4use anyhow::{Context, Result};
5use chrono::Duration as ChronoDuration;
6use clap::Args;
7use serde::{Deserialize, Serialize};
8
9use crate::cli_settings::CliConfig;
10use crate::paths::ResolvedPaths;
11use crate::shared::CommandOutput;
12use systemprompt_agent::repository::context::ContextRepository;
13use systemprompt_cloud::SessionKey;
14use systemprompt_config::{ProfileBootstrap, SecretsBootstrap};
15use systemprompt_database::{Database, DbPool};
16use systemprompt_identifiers::{ContextId, SessionId, SessionToken, UserId};
17use systemprompt_logging::CliService;
18use systemprompt_models::auth::{Permission, RateLimitTier, UserType};
19use systemprompt_models::{Profile, Secrets};
20use systemprompt_security::{SessionGenerator, SessionParams};
21use systemprompt_users::{User, UserRole};
22
23use super::login_helpers::{
24 SessionStoreParams, fetch_admin_user, save_session_to_store, try_use_existing_session,
25};
26use crate::session::api::create_local_session_row;
27
28#[derive(Debug, Args)]
29pub struct LoginArgs {
30 #[arg(
31 long,
32 env = "SYSTEMPROMPT_ADMIN_EMAIL",
33 hide = true,
34 help = "Override email from credentials"
35 )]
36 pub email: Option<String>,
37
38 #[arg(long, default_value = "24", help = "Session duration in hours")]
39 pub duration_hours: i64,
40
41 #[arg(long, help = "Only output the token (for scripting)")]
42 pub token_only: bool,
43
44 #[arg(
45 long,
46 help = "Force creation of a new session even if a valid one exists"
47 )]
48 pub force_new: bool,
49}
50
51#[derive(Debug, Clone, Serialize, Deserialize)]
52pub struct LoginOutput {
53 pub status: String,
54 pub user_id: UserId,
55 pub email: String,
56 pub session_id: SessionId,
57 pub expires_in_hours: i64,
58}
59
60pub async fn execute(args: LoginArgs, _config: &CliConfig) -> Result<CommandOutput> {
61 let profile = ProfileBootstrap::get().context("No profile loaded")?;
62 let profile_path = ProfileBootstrap::get_path().context("Profile path not set")?;
63 let secrets = SecretsBootstrap::get().context("Secrets not initialized")?;
64
65 login_for_profile(profile, profile_path, secrets, &args).await
66}
67
68pub async fn login_for_profile(
69 profile: &Profile,
70 profile_path: &str,
71 secrets: &Secrets,
72 args: &LoginArgs,
73) -> Result<CommandOutput> {
74 let sessions_dir = ResolvedPaths::discover().sessions_dir();
75 let session_key = session_key_for_profile(profile);
76
77 let database_url = secrets.effective_database_url(profile.database.external_db_access);
78
79 let db = Database::new_postgres(database_url)
80 .await
81 .context("Failed to connect to database")?;
82 let db_pool = DbPool::from(Arc::new(db));
83
84 if !args.force_new
85 && let Some(output) =
86 try_use_existing_session(&sessions_dir, &session_key, args, &db_pool).await?
87 {
88 return Ok(output);
89 }
90
91 let admin_name = &profile.system_admin.username;
92 progress(args, &format!("Fetching admin user: {admin_name}"));
93 let admin_user = fetch_admin_user(
94 &db_pool,
95 admin_name,
96 profile.target.is_cloud(),
97 args.email.as_deref(),
98 )
99 .await?;
100
101 progress(args, "Creating session...");
102 let session_id = create_local_session_row(&db_pool, &admin_user.id).await?;
103
104 progress(args, "Creating context...");
105 let context_id =
106 create_cli_context(&db_pool, &admin_user.id, &session_id, profile_path).await?;
107
108 progress(args, "Generating token...");
109 let session_token = generate_session_token(profile, args, &admin_user, &session_id)?;
110
111 save_session_to_store(SessionStoreParams {
112 sessions_dir: &sessions_dir,
113 session_key: &session_key,
114 profile_path,
115 session_token: session_token.clone(),
116 session_id: session_id.clone(),
117 context_id,
118 user_id: admin_user.id.clone(),
119 user_email: &admin_user.email,
120 user_type: UserType::Admin,
121 })?;
122
123 let output = LoginOutput {
124 status: "created".to_owned(),
125 user_id: admin_user.id.clone(),
126 email: admin_user.email.clone(),
127 session_id,
128 expires_in_hours: args.duration_hours,
129 };
130
131 if args.token_only {
132 CliService::output(session_token.as_str());
133 return Ok(CommandOutput::card_value("Admin Session", &output).with_skip_render());
134 }
135
136 CliService::success(&format!(
137 "Session saved to {}/index.json",
138 sessions_dir.display()
139 ));
140 Ok(CommandOutput::card_value("Admin Session", &output))
141}
142
143fn progress(args: &LoginArgs, message: &str) {
144 if !args.token_only {
145 CliService::info(message);
146 }
147}
148
149async fn create_cli_context(
150 db_pool: &DbPool,
151 user_id: &UserId,
152 session_id: &SessionId,
153 profile_path: &str,
154) -> Result<ContextId> {
155 let profile_name = Path::new(profile_path)
156 .parent()
157 .and_then(|d| d.file_name())
158 .and_then(|n| n.to_str())
159 .unwrap_or("unknown");
160
161 let context_repo = ContextRepository::new(db_pool)?;
162 context_repo
163 .create_context(
164 user_id,
165 Some(session_id),
166 &format!("CLI Session - {}", profile_name),
167 )
168 .await
169 .context("Failed to create CLI context")
170}
171
172fn generate_session_token(
173 profile: &Profile,
174 args: &LoginArgs,
175 admin_user: &User,
176 session_id: &SessionId,
177) -> Result<SessionToken> {
178 let session_generator = SessionGenerator::new(&profile.security.issuer);
179 session_generator
180 .generate(&SessionParams {
181 user_id: &admin_user.id,
182 session_id,
183 email: &admin_user.email,
184 duration: ChronoDuration::hours(args.duration_hours),
185 user_type: UserType::Admin,
186 permissions: vec![Permission::Admin],
187 roles: vec![UserRole::Admin.as_str().to_owned()],
188 attributes: std::collections::BTreeMap::new(),
189 rate_limit_tier: RateLimitTier::Admin,
190 })
191 .context("Failed to generate session token")
192}
193
194fn session_key_for_profile(profile: &Profile) -> SessionKey {
195 if profile.target.is_local() {
196 SessionKey::Local
197 } else {
198 let tenant_id = profile.cloud.as_ref().and_then(|c| c.tenant_id.as_ref());
199 SessionKey::from_tenant_id(tenant_id)
200 }
201}