systemprompt_cli/commands/admin/session/
login.rs1use std::path::Path;
7use std::sync::Arc;
8
9use anyhow::{Context, Result};
10use chrono::Duration as ChronoDuration;
11use clap::Args;
12use serde::{Deserialize, Serialize};
13
14use crate::cli_settings::CliConfig;
15use crate::paths::ResolvedPaths;
16use crate::shared::CommandOutput;
17use systemprompt_agent::repository::context::ContextRepository;
18use systemprompt_cloud::SessionKey;
19use systemprompt_config::{ProfileBootstrap, SecretsBootstrap};
20use systemprompt_database::{Database, DbPool};
21use systemprompt_identifiers::{ContextId, SessionId, SessionToken, UserId};
22use systemprompt_logging::CliService;
23use systemprompt_models::auth::{Permission, RateLimitTier, UserType};
24use systemprompt_models::{Profile, Secrets};
25use systemprompt_security::{SessionGenerator, SessionParams};
26use systemprompt_users::{User, UserRole};
27
28use super::login_helpers::{
29 SessionStoreParams, fetch_admin_user, save_session_to_store, try_use_existing_session,
30};
31use crate::session::api::create_local_session_row;
32
33#[derive(Debug, Args)]
34pub struct LoginArgs {
35 #[arg(
36 long,
37 env = "SYSTEMPROMPT_ADMIN_EMAIL",
38 hide = true,
39 help = "Override email from credentials"
40 )]
41 pub email: Option<String>,
42
43 #[arg(long, default_value = "24", help = "Session duration in hours")]
44 pub duration_hours: i64,
45
46 #[arg(long, help = "Only output the token (for scripting)")]
47 pub token_only: bool,
48
49 #[arg(
50 long,
51 help = "Force creation of a new session even if a valid one exists"
52 )]
53 pub force_new: bool,
54}
55
56#[derive(Debug, Clone, Serialize, Deserialize)]
57pub struct LoginOutput {
58 pub status: String,
59 pub user_id: UserId,
60 pub email: String,
61 pub session_id: SessionId,
62 pub expires_in_hours: i64,
63}
64
65pub async fn execute(args: LoginArgs, _config: &CliConfig) -> Result<CommandOutput> {
66 let profile = ProfileBootstrap::get().context("No profile loaded")?;
67 let profile_path = ProfileBootstrap::get_path().context("Profile path not set")?;
68 let secrets = SecretsBootstrap::get().context("Secrets not initialized")?;
69
70 login_for_profile(profile, profile_path, secrets, &args).await
71}
72
73pub async fn login_for_profile(
74 profile: &Profile,
75 profile_path: &str,
76 secrets: &Secrets,
77 args: &LoginArgs,
78) -> Result<CommandOutput> {
79 let sessions_dir = ResolvedPaths::discover().sessions_dir();
80 let session_key = session_key_for_profile(profile);
81
82 let database_url = secrets.effective_database_url(profile.database.external_db_access);
83
84 let db = Database::new_postgres(database_url)
85 .await
86 .context("Failed to connect to database")?;
87 let db_pool = DbPool::from(Arc::new(db));
88
89 if !args.force_new
90 && let Some(output) =
91 try_use_existing_session(&sessions_dir, &session_key, args, &db_pool).await?
92 {
93 return Ok(output);
94 }
95
96 let admin_name = &profile.system_admin.username;
97 progress(args, &format!("Fetching admin user: {admin_name}"));
98 let admin_user = fetch_admin_user(
99 &db_pool,
100 admin_name,
101 profile.target.is_cloud(),
102 args.email.as_deref(),
103 )
104 .await?;
105
106 progress(args, "Creating session...");
107 let session_id = create_local_session_row(&db_pool, &admin_user.id).await?;
108
109 progress(args, "Creating context...");
110 let context_id =
111 create_cli_context(&db_pool, &admin_user.id, &session_id, profile_path).await?;
112
113 progress(args, "Generating token...");
114 let session_token = generate_session_token(profile, args, &admin_user, &session_id)?;
115
116 save_session_to_store(SessionStoreParams {
117 sessions_dir: &sessions_dir,
118 session_key: &session_key,
119 profile_path,
120 session_token: session_token.clone(),
121 session_id: session_id.clone(),
122 context_id,
123 user_id: admin_user.id.clone(),
124 user_email: &admin_user.email,
125 user_type: UserType::Admin,
126 })?;
127
128 let output = LoginOutput {
129 status: "created".to_owned(),
130 user_id: admin_user.id.clone(),
131 email: admin_user.email.clone(),
132 session_id,
133 expires_in_hours: args.duration_hours,
134 };
135
136 if args.token_only {
137 CliService::output(session_token.as_str());
138 return Ok(CommandOutput::card_value("Admin Session", &output).with_skip_render());
139 }
140
141 CliService::success(&format!(
142 "Session saved to {}/index.json",
143 sessions_dir.display()
144 ));
145 Ok(CommandOutput::card_value("Admin Session", &output))
146}
147
148fn progress(args: &LoginArgs, message: &str) {
149 if !args.token_only {
150 CliService::info(message);
151 }
152}
153
154async fn create_cli_context(
155 db_pool: &DbPool,
156 user_id: &UserId,
157 session_id: &SessionId,
158 profile_path: &str,
159) -> Result<ContextId> {
160 let profile_name = Path::new(profile_path)
161 .parent()
162 .and_then(|d| d.file_name())
163 .and_then(|n| n.to_str())
164 .unwrap_or("unknown");
165
166 let context_repo = ContextRepository::new(db_pool)?;
167 context_repo
168 .get_or_create_cli_context(
169 user_id,
170 session_id,
171 &format!("CLI Session - {}", profile_name),
172 )
173 .await
174 .context("Failed to create CLI context")
175}
176
177fn generate_session_token(
178 profile: &Profile,
179 args: &LoginArgs,
180 admin_user: &User,
181 session_id: &SessionId,
182) -> Result<SessionToken> {
183 let session_generator = SessionGenerator::new(&profile.security.issuer);
184 session_generator
185 .generate(&SessionParams {
186 user_id: &admin_user.id,
187 session_id,
188 email: &admin_user.email,
189 duration: ChronoDuration::hours(args.duration_hours),
190 user_type: UserType::Admin,
191 permissions: vec![Permission::Admin],
192 roles: vec![UserRole::Admin.as_str().to_owned()],
193 attributes: std::collections::BTreeMap::new(),
194 rate_limit_tier: RateLimitTier::Admin,
195 })
196 .context("Failed to generate session token")
197}
198
199fn session_key_for_profile(profile: &Profile) -> SessionKey {
200 if profile.target.is_local() {
201 SessionKey::Local
202 } else {
203 let tenant_id = profile.cloud.as_ref().and_then(|c| c.tenant_id.as_ref());
204 SessionKey::from_tenant_id(tenant_id)
205 }
206}