replace duckdb-ui with ttyd shell: add /query HTTP endpoint, fix utf-8/locale, region config

- swap DuckDB UI for ttyd web terminal (--writable, -readonly db) - add POST /query endpoint with X-Password auth for curl-based SQL execution - fix UTF-8 rendering: set LANG/LC_ALL=C.UTF-8 in container - pass BUCKET_REGION env var for correct S3 signing region - simplify start.sh: drop Xvfb, views.duckdb generation, blocking duckdb -ui - add less, ncurses-bin to Dockerfile for proper pager/terminal support - update Caddyfile: single route to ttyd with flush_interval -1 for websocket - update README to reflect current architecture and document /query usage - remove duckdb-ui.service, schemas.json, file_tree.md (generated artifacts)
2026-03-26 11:54:46 +01:00
parent cd94603fac
commit 41e7f7a972
12 changed files with 251 additions and 148583 deletions
--- a/auth.py
+++ b/auth.py
@@ -0,0 +1,96 @@
+#!/usr/bin/env python3
+"""Minimal cookie-session auth gate for DuckDB shell."""
+import hmac, hashlib, os, secrets, subprocess, time
+from http.server import HTTPServer, BaseHTTPRequestHandler
+from urllib.parse import parse_qs
+
+PASSWORD = os.environ.get('BASIC_AUTH_PASSWORD', '').encode()
+_SECRET  = secrets.token_bytes(32)
+
+def _make_token():
+    day = str(int(time.time()) // 86400)
+    return hmac.new(_SECRET, day.encode(), hashlib.sha256).hexdigest()
+
+def _valid(token):
+    if not token:
+        return False
+    for delta in (0, 1):
+        day = str(int(time.time()) // 86400 - delta)
+        expected = hmac.new(_SECRET, day.encode(), hashlib.sha256).hexdigest()
+        if hmac.compare_digest(token, expected):
+            return True
+    return False
+
+LOGIN_HTML = """<!DOCTYPE html>
+<html><head><title>DB Shell</title><style>
+body{display:flex;justify-content:center;align-items:center;min-height:100vh;margin:0;background:#0f1117;font-family:sans-serif}
+form{background:#1a1d27;padding:2rem;border-radius:8px;display:flex;flex-direction:column;gap:1rem;min-width:280px}
+h2{color:#fff;margin:0}
+input{padding:.6rem;border-radius:4px;border:1px solid #333;background:#0f1117;color:#fff;font-size:1rem}
+button{padding:.6rem;border-radius:4px;border:none;background:#f4c543;color:#000;font-size:1rem;cursor:pointer;font-weight:600}
+</style></head>
+<body><form method="POST" action="/login">
+  <h2>DB Shell</h2>
+  <input type="password" name="password" placeholder="Password" autofocus>
+  <button type="submit">Enter</button>
+</form></body></html>""".encode()
+
+class H(BaseHTTPRequestHandler):
+    def _cookie(self):
+        for part in self.headers.get('Cookie', '').split(';'):
+            part = part.strip()
+            if part.startswith('ddb_auth='):
+                return part[9:]
+        return ''
+
+    def do_GET(self):
+        if self.path == '/auth':
+            if _valid(self._cookie()):
+                self._resp(200)
+            else:
+                self.send_response(302)
+                self.send_header('Location', '/login')
+                self.end_headers()
+        else:
+            self._resp(200, LOGIN_HTML, 'text/html; charset=utf-8')
+
+    def do_POST(self):
+        if self.path == '/query':
+            pwd = self.headers.get('X-Password', '').encode()
+            if not hmac.compare_digest(pwd, PASSWORD):
+                self._resp(401, b'Unauthorized\n')
+                return
+            sql = self.rfile.read(int(self.headers.get('Content-Length', 0))).decode(errors='replace')
+            try:
+                r = subprocess.run(
+                    ['duckdb', '-readonly', '--init', '/app/ssh_init.sql', '/app/basedosdados.duckdb'],
+                    input=sql, capture_output=True, text=True, timeout=120
+                )
+                out = (r.stdout + r.stderr).encode()
+            except subprocess.TimeoutExpired:
+                out = b'timeout\n'
+            self._resp(200, out, 'text/plain; charset=utf-8')
+            return
+        body = self.rfile.read(int(self.headers.get('Content-Length', 0))).decode(errors='replace')
+        pwd  = parse_qs(body).get('password', [''])[0].encode()
+        if hmac.compare_digest(pwd, PASSWORD):
+            self.send_response(302)
+            self.send_header('Set-Cookie', f'ddb_auth={_make_token()}; Path=/; HttpOnly; SameSite=Strict')
+            self.send_header('Location', '/')
+            self.end_headers()
+        else:
+            self._resp(200, LOGIN_HTML, 'text/html; charset=utf-8')
+
+    def _resp(self, code, body=b'', ct='text/plain'):
+        self.send_response(code)
+        if body:
+            self.send_header('Content-Type', ct)
+            self.send_header('Content-Length', str(len(body)))
+        self.end_headers()
+        if body:
+            self.wfile.write(body)
+
+    def log_message(self, *_):
+        pass
+
+HTTPServer(('127.0.0.1', 8081), H).serve_forever()