More samples repo into app (#163)

Author: mariusandra

backend/app/api/frames.py

@@ -1,7 +1,7 @@
 from __future__ import annotations
 
 # stdlib ---------------------------------------------------------------------
-from datetime import datetime, timedelta
+from datetime import datetime
 from http import HTTPStatus
 import aiofiles
 import asyncssh
@@ -19,7 +19,6 @@
 
 # third-party ---------------------------------------------------------------
 import httpx
-from jose import JWTError, jwt
 from fastapi import Depends, File, Form, Request, HTTPException, UploadFile, Header
 from fastapi.responses import Response, StreamingResponse
 from sqlalchemy.orm import Session
@@ -48,7 +47,7 @@
     FrameCreateRequest,
     FrameUpdateRequest,
 )
-from app.api.auth import ALGORITHM, SECRET_KEY, get_current_user
+from app.api.auth import get_current_user
 from app.config import config
 from app.utils.network import is_safe_host
 from app.utils.remote_exec import (
@@ -73,6 +72,7 @@
 from app.models.assets import copy_custom_fonts_to_local_source_folder
 from app.models.settings import get_settings_dict
 from app.utils.local_exec import exec_local_command
+from app.utils.jwt_tokens import create_scoped_token_response, validate_scoped_token
 from . import api_with_auth, api_no_auth
 
 
@@ -538,12 +538,7 @@ async def api_frame_get_asset(
             except HTTPException:
                 raise HTTPException(status_code=HTTPStatus.UNAUTHORIZED, detail="Unauthorized")
         elif token:
-            try:
-                payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
-                if payload.get("sub") != f"frame={id}":
-                    raise HTTPException(status_code=HTTPStatus.UNAUTHORIZED, detail="Unauthorized")
-            except JWTError:
-                raise HTTPException(status_code=HTTPStatus.UNAUTHORIZED, detail="Unauthorized")
+            validate_scoped_token(token, expected_subject=f"frame={id}")
         else:
             raise HTTPException(status_code=HTTPStatus.UNAUTHORIZED, detail="Unauthorized")
 
@@ -674,12 +669,7 @@ async def api_frame_get_logs(id: int, db: Session = Depends(get_db)):
     "/frames/{id:int}/image_token", response_model=FrameImageLinkResponse
 )
 async def get_image_token(id: int):
-    expire_minutes = 5
-    now = datetime.utcnow()
-    expire = now + timedelta(minutes=expire_minutes)
-    to_encode = {"sub": f"frame={id}", "exp": expire}
-    token = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
-    return {"token": token, "expires_in": int((expire - now).total_seconds())}
+    return create_scoped_token_response(f"frame={id}")
 
 
 @api_no_auth.get("/frames/{id:int}/image")
@@ -691,12 +681,7 @@ async def api_frame_get_image(
     redis: Redis = Depends(get_redis),
 ):
     if config.HASSIO_RUN_MODE != "ingress":
-        try:
-            payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
-            if payload.get("sub") != f"frame={id}":
-                raise HTTPException(status_code=401, detail="Unauthorized")
-        except JWTError:
-            raise HTTPException(status_code=401, detail="Unauthorized")
+        validate_scoped_token(token, expected_subject=f"frame={id}")
 
     frame = db.get(Frame, id)
     if frame is None:

backend/app/api/repositories.py

@@ -1,8 +1,11 @@
 import logging
 import asyncio
+import json
 from datetime import datetime, timedelta
 from http import HTTPStatus
+from pathlib import Path
 from fastapi import Depends, HTTPException
+from fastapi.responses import FileResponse
 from sqlalchemy.exc import SQLAlchemyError
 from sqlalchemy.orm import Session
 from urllib.parse import urlparse
@@ -15,13 +18,85 @@
     RepositoryCreateRequest,
     RepositoryUpdateRequest,
     RepositoryResponse,
-    RepositoriesListResponse
+    RepositoriesListResponse,
+    RepositoryImageTokenResponse,
 )
-from . import api_with_auth
+from app.config import config
+from app.utils.jwt_tokens import create_scoped_token_response, validate_scoped_token
+from . import api_with_auth, api_no_auth
 
 FRAMEOS_SAMPLES_URL = "https://repo.frameos.net/samples/repository.json"
 FRAMEOS_GALLERY_URL = "https://repo.frameos.net/gallery/repository.json"
 
+SYSTEM_REPOSITORIES_PATH = Path(__file__).resolve().parents[3] / "repo" / "scenes"
+
+
+def _system_template_subject(repository_slug: str, template_slug: str) -> str:
+    return f"system-template={repository_slug}/{template_slug}"
+
+
+def _load_template_definition(repository_slug: str, template_dir: Path):
+    template_path = template_dir / "template.json"
+    if not template_path.is_file():
+        return None
+
+    with template_path.open("r", encoding="utf-8") as template_file:
+        template_data = json.load(template_file)
+
+    image_path = template_data.get("image")
+    if image_path:
+        template_data["image"] = f"/api/repositories/system/{repository_slug}/templates/{template_dir.name}/image"
+
+    scenes_reference = template_data.get("scenes")
+    if isinstance(scenes_reference, str):
+        scenes_path = _resolve_template_resource(template_dir, scenes_reference)
+        if scenes_path and scenes_path.is_file():
+            with scenes_path.open("r", encoding="utf-8") as scenes_file:
+                template_data["scenes"] = json.load(scenes_file)
+        else:
+            template_data["scenes"] = []
+
+    return template_data
+
+
+def _resolve_template_resource(base_dir: Path, resource_path: str) -> Path | None:
+    if not resource_path:
+        return None
+
+    relative_path = resource_path[2:] if resource_path.startswith("./") else resource_path
+    candidate_path = (base_dir / relative_path).resolve()
+
+    try:
+        candidate_path.relative_to(base_dir.resolve())
+    except ValueError:
+        return None
+
+    return candidate_path
+
+
+def _load_system_repository(repository_dir: Path):
+    repository_slug = repository_dir.name
+    repository_metadata_path = repository_dir / "repository.json"
+    metadata: dict[str, str | None] = {}
+    if repository_metadata_path.is_file():
+        with repository_metadata_path.open("r", encoding="utf-8") as repository_file:
+            metadata = json.load(repository_file)
+
+    templates = []
+    for template_dir in sorted(path for path in repository_dir.iterdir() if path.is_dir()):
+        template_definition = _load_template_definition(repository_slug, template_dir)
+        if template_definition:
+            templates.append(template_definition)
+
+    return {
+        "id": f"system-{repository_slug}",
+        "name": metadata.get("name") or repository_slug.title(),
+        "description": metadata.get("description"),
+        "url": f"/api/repositories/system/{repository_slug}/repository.json",
+        "last_updated_at": None,
+        "templates": templates,
+    }
+
 
 @api_with_auth.post("/repositories", response_model=RepositoryResponse, status_code=201)
 async def create_repository(data: RepositoryCreateRequest, db: Session = Depends(get_db)):
@@ -44,32 +119,102 @@ async def create_repository(data: RepositoryCreateRequest, db: Session = Depends
         logging.error(f'Database error: {e}')
         raise HTTPException(status_code=500, detail="Database error")
 
+@api_with_auth.get("/repositories/system", response_model=RepositoriesListResponse)
+async def get_system_repositories(db: Session = Depends(get_db)):
+    if not SYSTEM_REPOSITORIES_PATH.exists():
+        return []
+
+    repositories = []
+    paths = [path for path in SYSTEM_REPOSITORIES_PATH.iterdir() if path.is_dir()]
+    for repository_dir in paths:
+        repositories.append(_load_system_repository(repository_dir))
+
+    # Sort order: samples first, then gallery, then everything else alphabetically
+    def sort_key(repo):
+        if repo.get('id') == "system-samples":
+            return (0, "")
+        elif repo.get('id') == "system-gallery":
+            return (1, "")
+        return (2, repo.get('id') or "")
+
+    repositories.sort(key=sort_key)
+
+    return repositories
+
+
+@api_with_auth.get(
+    "/repositories/system/{repository_slug}/templates/{template_slug}/image_token",
+    response_model=RepositoryImageTokenResponse,
+)
+async def get_system_repository_image_token(repository_slug: str, template_slug: str):
+    return create_scoped_token_response(
+        _system_template_subject(repository_slug, template_slug)
+    )
+
+
+@api_no_auth.get("/repositories/system/{repository_slug}/templates/{template_slug}/image")
+async def get_system_repository_image(repository_slug: str, template_slug: str, token: str):
+    if config.HASSIO_RUN_MODE != 'ingress':
+        validate_scoped_token(
+            token,
+            expected_subject=_system_template_subject(repository_slug, template_slug),
+        )
+
+    repository_path = SYSTEM_REPOSITORIES_PATH / repository_slug
+    if not repository_path.is_dir():
+        raise HTTPException(status_code=404, detail="Repository not found")
+
+    template_path = repository_path / template_slug
+    if not template_path.is_dir():
+        raise HTTPException(status_code=404, detail="Template not found")
+
+    template_definition_path = template_path / "template.json"
+    if not template_definition_path.is_file():
+        raise HTTPException(status_code=404, detail="Template not found")
+
+    with template_definition_path.open("r", encoding="utf-8") as template_file:
+        template_data = json.load(template_file)
+
+    image_reference = template_data.get("image")
+    if not isinstance(image_reference, str) or not image_reference:
+        raise HTTPException(status_code=404, detail="Template image not found")
+
+    image_path = _resolve_template_resource(template_path, image_reference)
+    if not image_path or not image_path.is_file():
+        raise HTTPException(status_code=404, detail="Template image not found")
+
+    return FileResponse(image_path)
+
 @api_with_auth.get("/repositories", response_model=RepositoriesListResponse)
 async def get_repositories(db: Session = Depends(get_db)):
     try:
-        # Remove old repo if it exists
-        if db.query(Settings).filter_by(key="@system/repository_init_done").first():
-            old_url = "https://repo.frameos.net/versions/0/templates.json"
-            repository = db.query(Repository).filter_by(url=old_url).first()
-            if repository:
-                db.delete(repository)
-            db.delete(db.query(Settings).filter_by(key="@system/repository_init_done").first())
-            db.commit()
+        if db.query(Settings).filter_by(key="@system/repository_global_cleanup").first():
+            # We're good here. No need to do all the checks
+            pass
+        else:
+            # Remove old repo if it exists
+            if db.query(Settings).filter_by(key="@system/repository_init_done").first():
+                old_url = "https://repo.frameos.net/versions/0/templates.json"
+                repository = db.query(Repository).filter_by(url=old_url).first()
+                if repository:
+                    db.delete(repository)
+                db.delete(db.query(Settings).filter_by(key="@system/repository_init_done").first())
+                db.commit()
 
-        # Create samples repo if not done
-        if not db.query(Settings).filter_by(key="@system/repository_samples_done").first():
-            repository = Repository(name="", url=FRAMEOS_SAMPLES_URL)
-            await repository.update_templates()
-            db.add(repository)
-            db.add(Settings(key="@system/repository_samples_done", value="true"))
-            db.commit()
+            # delete old gallery/samples repos
+            if db.query(Settings).filter_by(key="@system/repository_samples_done").first():
+                repository = db.query(Repository).filter_by(url=FRAMEOS_SAMPLES_URL).first()
+                if repository:
+                    db.delete(repository)
+                db.delete(db.query(Settings).filter_by(key="@system/repository_samples_done").first())
+
+            if db.query(Settings).filter_by(key="@system/repository_gallery_done").first():
+                repository = db.query(Repository).filter_by(url=FRAMEOS_GALLERY_URL).first()
+                if repository:
+                    db.delete(repository)
+                db.delete(db.query(Settings).filter_by(key="@system/repository_gallery_done").first())
 
-        # Create gallery repo if not done
-        if not db.query(Settings).filter_by(key="@system/repository_gallery_done").first():
-            repository = Repository(name="", url=FRAMEOS_GALLERY_URL)
-            await repository.update_templates()
-            db.add(repository)
-            db.add(Settings(key="@system/repository_gallery_done", value="true"))
+            db.add(Settings(key="@system/repository_global_cleanup", value="true"))
             db.commit()
 
         repositories = db.query(Repository).all()

backend/app/api/scene_images.py

@@ -1,17 +1,15 @@
 import io
-from jose import JWTError, jwt
 
 from fastapi import Depends, HTTPException, Request
 from fastapi.responses import StreamingResponse
 from PIL import Image, ImageDraw, ImageFont
 from sqlalchemy.orm import Session
-from app.api.auth import ALGORITHM, SECRET_KEY
-
 from app.config import config
 from app.database import get_db
 from app.models.scene_image import SceneImage            # created earlier
 from app.models.frame import Frame
 from . import api_no_auth
+from app.utils.jwt_tokens import validate_scoped_token
 
 
 def _generate_placeholder(
@@ -95,12 +93,7 @@ async def get_scene_image(
     """
 
     if config.HASSIO_RUN_MODE != 'ingress':
-        try:
-            payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
-            if payload.get("sub") != f"frame={frame_id}":
-                raise HTTPException(status_code=401, detail="Unauthorized")
-        except JWTError:
-            raise HTTPException(status_code=401, detail="Unauthorized")
+        validate_scoped_token(token, expected_subject=f"frame={frame_id}")
 
 
     img_row: SceneImage | None = (

backend/app/api/templates.py

@@ -3,13 +3,11 @@
 import zipfile
 import json
 import string
-from datetime import datetime, timedelta
 
 import httpx
 from PIL import Image
 from fastapi import Depends, HTTPException, UploadFile, File, Form, Request
 from fastapi.responses import Response, StreamingResponse, JSONResponse
-from jose import jwt, JWTError
 from sqlalchemy.orm import Session
 
 from app.database import get_db
@@ -24,9 +22,9 @@
     CreateTemplateRequest,
     UpdateTemplateRequest,
 )
-from app.api.auth import SECRET_KEY, ALGORITHM
 from app.api import api_with_auth, api_no_auth
 from app.redis import get_redis
+from app.utils.jwt_tokens import create_scoped_token_response, validate_scoped_token
 
 
 def respond_with_template(template: Template):
@@ -241,28 +239,13 @@ async def get_template(template_id: str, db: Session = Depends(get_db)):
 
 @api_with_auth.get("/templates/{template_id}/image_token", response_model=TemplateImageTokenResponse)
 async def get_image_token(template_id: str):
-    expire_minutes = 5
-    now = datetime.utcnow()
-    expire = now + timedelta(minutes=expire_minutes)
-    to_encode = {"sub": f"template={template_id}", "exp": expire}
-    token = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
-    expires_in = int((expire - now).total_seconds())
-
-    return {
-        "token": token,
-        "expires_in": expires_in
-    }
+    return create_scoped_token_response(f"template={template_id}")
 
 @api_no_auth.get("/templates/{template_id}/image")
 async def get_template_image(template_id: str, token: str, request: Request, db: Session = Depends(get_db)):
     if config.HASSIO_RUN_MODE != 'ingress':
         # All modes except ingress require a token in the url
-        try:
-            payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
-            if payload.get("sub") != f"template={template_id}":
-                raise HTTPException(status_code=401, detail="Unauthorized")
-        except JWTError:
-            raise HTTPException(status_code=401, detail="Unauthorized")
+        validate_scoped_token(token, expected_subject=f"template={template_id}")
 
     template = db.get(Template, template_id)
     if not template or not template.image:

backend/app/schemas/common.py

@@ -0,0 +1,7 @@
+from pydantic import BaseModel
+
+
+class ImageTokenResponse(BaseModel):
+    token: str
+    expires_in: int
+