feat: AI Gateway Phase 1 - FastAPI 코어 구현

GPU 서버 중앙 AI 라우팅 서비스 초기 구현: - OpenAI 호환 API (/v1/chat/completions, /v1/models, /v1/embeddings) - 모델 레지스트리 + 백엔드 헬스체크 (30초 루프) - Ollama SSE 프록시 (NDJSON → OpenAI SSE 변환) - JWT 인증 이중 경로 (httpOnly 쿠키 + Bearer 토큰) - owner/guest 역할 분리, 로그인 rate limiting - 백엔드별 rate limiting (NanoClaude 대비) - SQLite 스키마 사전 정의 (aiosqlite + WAL) - Docker Compose + Caddy 리버스 프록시 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 13:41:46 +09:00
commit 3794afff95
27 changed files with 1121 additions and 0 deletions
--- a/hub-api/routers/auth.py
+++ b/hub-api/routers/auth.py
@@ -0,0 +1,79 @@
+from fastapi import APIRouter, Request, Response
+from pydantic import BaseModel
+
+from config import settings
+from middleware.auth import (
+    check_login_rate_limit,
+    create_token,
+    record_login_attempt,
+)
+
+router = APIRouter(prefix="/auth", tags=["auth"])
+
+
+class LoginRequest(BaseModel):
+    password: str
+
+
+class LoginResponse(BaseModel):
+    role: str
+    token: str
+
+
+@router.post("/login")
+async def login(body: LoginRequest, request: Request, response: Response):
+    ip = request.client.host if request.client else "unknown"
+
+    if not check_login_rate_limit(ip):
+        return _error_response(429, "Too many login attempts. Try again in 1 minute.")
+
+    record_login_attempt(ip)
+
+    if body.password == settings.owner_password:
+        role = "owner"
+    elif body.password == settings.guest_password:
+        role = "guest"
+    else:
+        return _error_response(401, "Invalid password")
+
+    token = create_token(role)
+
+    # Set httpOnly cookie for web UI
+    response.set_cookie(
+        key="token",
+        value=token,
+        httponly=True,
+        samesite="lax",
+        max_age=settings.jwt_expire_hours * 3600,
+    )
+
+    return LoginResponse(role=role, token=token)
+
+
+@router.get("/me")
+async def me(request: Request):
+    role = getattr(request.state, "role", "anonymous")
+    if role == "anonymous":
+        return _error_response(401, "Not authenticated")
+    return {"role": role}
+
+
+@router.post("/logout")
+async def logout(response: Response):
+    response.delete_cookie("token")
+    return {"ok": True}
+
+
+def _error_response(status_code: int, message: str):
+    from fastapi.responses import JSONResponse
+
+    return JSONResponse(
+        status_code=status_code,
+        content={
+            "error": {
+                "message": message,
+                "type": "auth_error",
+                "code": f"auth_{status_code}",
+            }
+        },
+    )