feat: add text, dev, and web tool APIs with OAuth, email verification, and security hardening

Add new v1 API routers for text-tools (slugify, case conversion, lorem ipsum,
markdown), dev-tools (UUID, password, hash, base64, JSON, JWT), and web-tools
(metadata extraction, URL validation, URL shortener) with SSRF protection.

Introduce GitHub OAuth login flow, email verification system with SMTP support,
account email/password management endpoints, and color palette generation.
Harden security with private IP blocking on web-tools, XSS sanitization on
markdown output, and fix session expiry from 5 seconds to 30 days.

Co-Authored-By: Claude <81847+claude@users.noreply.github.com>

Author: zachlagden

requirements.txt

@@ -58,3 +58,22 @@ watchfiles==1.0.0
 websockets==14.1
 altcha==1.0.0
 sentry-sdk[fastapi]==2.19.2
+
+# SMTP
+aiosmtplib==3.0.1
+
+# Image Tools
+qrcode[pil]==7.4.2
+blurhash-python==1.2.1
+
+# Text Tools
+python-slugify==8.0.1
+mistune==3.0.2
+
+# Dev Tools
+pyjwt==2.8.0
+uuid6==2024.1.12
+
+# Web Tools
+beautifulsoup4==4.12.3
+lxml==5.1.0

src/.env.example

@@ -16,3 +16,19 @@ ALTCHA_MAX_NUMBER=100000
 SENTRY_DSN=https://your-key@your-org.ingest.sentry.io/project-id
 SENTRY_TRACES_SAMPLE_RATE=1.0
 SENTRY_PROFILE_SAMPLE_RATE=1.0
+
+# SMTP Configuration
+SMTP_HOST=smtp.example.com
+SMTP_PORT=587
+SMTP_USERNAME=
+SMTP_PASSWORD=
+SMTP_FROM_EMAIL=noreply@lagden.dev
+SMTP_USE_TLS=true
+
+# GitHub OAuth
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+GITHUB_REDIRECT_URI=https://api.lagden.dev/api/auth/github/callback
+
+# URL Shortener
+SHORT_URL_BASE=https://ldev.click

src/app.py

@@ -32,16 +32,21 @@
 # Now import FastAPI and create app
 from fastapi import FastAPI
 from fastapi.staticfiles import StaticFiles
-from fastapi.responses import JSONResponse
+from fastapi.responses import JSONResponse, RedirectResponse
 
 # Import routers
 from routers import main_router
 from routers.v1 import main_router as v1_main_router
-from routers.v1 import watcher_router as v1_watcher_router
+# Temporarily disabled: from routers.v1 import watcher_router as v1_watcher_router
 from routers.v1 import image_tools_router as v1_image_tools_router
 from routers.v1 import color_tools_router as v1_color_tools_router
-from routers.api import accounts_router, me_router, altcha_router
+from routers.v1 import text_tools_router as v1_text_tools_router
+from routers.v1 import dev_tools_router as v1_dev_tools_router
+from routers.v1 import web_tools_router as v1_web_tools_router
+from routers.api import accounts_router, me_router, altcha_router, auth_router
 from helpers.altcha import setup_altcha_indexes
+from helpers.oauth import OAuthHelper
+from db import short_urls
 
 # Configure logging based on environment
 log_level = logging.DEBUG if os.getenv("ENVIRONMENT", "production").lower() == "development" else logging.INFO
@@ -58,14 +63,15 @@
 app = FastAPI(
     title="api.lagden.dev",
     description="The lagden.dev API used for our services and tools.",
-    version="2.0.0beta",
+    version="2.0.0",
 )
 
 
 @app.on_event("startup")
 async def startup_event():
     """Initialize application on startup."""
     setup_altcha_indexes()
+    OAuthHelper.setup_oauth_indexes()
     logger.info("Application started successfully")
 
 
@@ -86,14 +92,33 @@ async def health_check():
 
 # Include API routers
 app.include_router(v1_main_router.router, prefix="/v1")
-app.include_router(v1_watcher_router.router, prefix="/v1/watcher")
+# Temporarily disabled: app.include_router(v1_watcher_router.router, prefix="/v1/watcher")
 app.include_router(v1_image_tools_router.router, prefix="/v1/image-tools")
 app.include_router(v1_color_tools_router.router, prefix="/v1/color-tools")
+app.include_router(v1_text_tools_router.router, prefix="/v1/text-tools")
+app.include_router(v1_dev_tools_router.router, prefix="/v1/dev-tools")
+app.include_router(v1_web_tools_router.router, prefix="/v1/web-tools")
 
 # Include the internal API routers
 app.include_router(accounts_router.router, prefix="/api/accounts")
 app.include_router(me_router.router, prefix="/api/me")
 app.include_router(altcha_router.router, prefix="/api/altcha")
+app.include_router(auth_router.router, prefix="/api/auth")
+
+
+# Short URL redirect endpoint
+@app.get("/s/{code}", include_in_schema=False)
+async def short_url_redirect(code: str):
+    """Redirect short URL to original URL."""
+    short_url_doc = short_urls.find_one({"_id": code})
+    if not short_url_doc:
+        return JSONResponse(status_code=404, content={"error": "Short URL not found"})
+
+    # Increment click counter
+    short_urls.update_one({"_id": code}, {"$inc": {"clicks": 1}})
+
+    return RedirectResponse(url=short_url_doc["url"], status_code=301)
+
 
 # Run the application
 if __name__ == "__main__":

src/db.py

@@ -58,6 +58,9 @@ def create_mongo_client() -> Optional[MongoClient]:
     accounts = api_db["api_accounts"]
     api_logs = api_db["api_logs"]
     api_keys = api_db["api_keys"]
+    email_verifications = api_db["email_verifications"]
+    oauth_states = api_db["oauth_states"]
+    short_urls = api_db["short_urls"]
 else:
     raise RuntimeError("Failed to establish MongoDB connection")
 

src/helpers/accounts.py

@@ -7,19 +7,21 @@
 """
 
 # Python Standard Library Imports
-from datetime import datetime
-from typing import Optional, Dict, Any
+from datetime import datetime, timedelta
+from typing import Optional, Dict, Any, Tuple
 import uuid
+import secrets
 
 # Third-Party Imports
 from fastapi import Response, Request
 from fastapi.exceptions import HTTPException
+import bcrypt
 
 # Helper Imports
 from helpers.fastapi.ip import get_client_ip
 
 # Database Imports
-from db import accounts
+from db import accounts, email_verifications
 
 
 class AccountHelper:
@@ -144,7 +146,7 @@ async def create_session(account_id: str, request: Request) -> Dict[str, Any]:
             "ip": get_client_ip(request),
             "created_at": datetime.now().timestamp(),
             "last_used": datetime.now().timestamp(),
-            "expires_at": datetime.now().timestamp() + 5,  # 86400 * 30,  # 30 days
+            "expires_at": datetime.now().timestamp() + 86400 * 30,  # 30 days
         }
 
         # Create an index to delete expired sessions if it doesn't exist
@@ -177,3 +179,213 @@ async def get_public_account_data(account: Dict[Any, Any]) -> Dict[Any, Any]:
                 session["current"] = False
 
         return public_account
+
+    @staticmethod
+    async def create_verification_token(account_id: str, email: str) -> str:
+        """Create an email verification token"""
+        token = secrets.token_urlsafe(32)
+        expires_at = datetime.now().timestamp() + 86400  # 24 hours
+
+        # Remove any existing verification for this email
+        email_verifications.delete_many({"email": email})
+
+        # Create new verification
+        email_verifications.insert_one({
+            "_id": token,
+            "account_id": account_id,
+            "email": email,
+            "created_at": datetime.now().timestamp(),
+            "expires_at": expires_at,
+        })
+
+        return token
+
+    @staticmethod
+    async def verify_email_token(token: str) -> Tuple[bool, Optional[str], Optional[str]]:
+        """
+        Verify an email token and mark the email as verified.
+
+        Returns:
+            Tuple of (success, account_id, error_message)
+        """
+        verification = email_verifications.find_one({"_id": token})
+
+        if not verification:
+            return False, None, "Invalid or expired verification token"
+
+        if verification["expires_at"] < datetime.now().timestamp():
+            email_verifications.delete_one({"_id": token})
+            return False, None, "Verification token has expired"
+
+        account_id = verification["account_id"]
+        email = verification["email"]
+
+        # Mark email as verified in the account
+        result = accounts.update_one(
+            {"_id": account_id, "emails.address": email},
+            {"$set": {"emails.$.verified": True}}
+        )
+
+        if result.modified_count == 0:
+            return False, None, "Email not found in account"
+
+        # Delete the verification token
+        email_verifications.delete_one({"_id": token})
+
+        return True, account_id, None
+
+    @staticmethod
+    async def set_primary_email(account_id: str, email: str) -> Tuple[bool, Optional[str]]:
+        """
+        Set an email as the primary email for an account.
+        The email must be verified.
+
+        Returns:
+            Tuple of (success, error_message)
+        """
+        account = accounts.find_one({"_id": account_id})
+        if not account:
+            return False, "Account not found"
+
+        # Find the email and check if it's verified
+        email_found = False
+        is_verified = False
+        for e in account["emails"]:
+            if e["address"] == email:
+                email_found = True
+                is_verified = e.get("verified", False)
+                break
+
+        if not email_found:
+            return False, "Email not found in account"
+
+        if not is_verified:
+            return False, "Email must be verified before setting as primary"
+
+        # Remove primary flag from all emails
+        accounts.update_one(
+            {"_id": account_id},
+            {"$set": {"emails.$[].primary": False}}
+        )
+
+        # Set primary flag on the specified email
+        accounts.update_one(
+            {"_id": account_id, "emails.address": email},
+            {"$set": {"emails.$.primary": True}}
+        )
+
+        return True, None
+
+    @staticmethod
+    async def change_password(
+        account_id: str, current_password: str, new_password: str
+    ) -> Tuple[bool, Optional[str]]:
+        """
+        Change an account's password.
+
+        Returns:
+            Tuple of (success, error_message)
+        """
+        account = accounts.find_one({"_id": account_id})
+        if not account:
+            return False, "Account not found"
+
+        # Verify current password
+        if not bcrypt.checkpw(
+            current_password.encode("utf-8"),
+            account["password"].encode("utf-8")
+        ):
+            return False, "Current password is incorrect"
+
+        # Hash and set new password
+        hashed_password = bcrypt.hashpw(
+            new_password.encode("utf-8"),
+            bcrypt.gensalt()
+        ).decode("utf-8")
+
+        accounts.update_one(
+            {"_id": account_id},
+            {"$set": {"password": hashed_password}}
+        )
+
+        return True, None
+
+    @staticmethod
+    async def has_verified_email(account_id: str) -> bool:
+        """Check if an account has at least one verified email"""
+        account = accounts.find_one({"_id": account_id})
+        if not account:
+            return False
+
+        for email in account.get("emails", []):
+            if email.get("verified", False):
+                return True
+
+        return False
+
+    @staticmethod
+    async def find_account_by_oauth(provider: str, provider_id: str) -> Optional[Dict[Any, Any]]:
+        """Find an account by OAuth provider and ID"""
+        return accounts.find_one({f"oauth_connections.{provider}.id": provider_id})
+
+    @staticmethod
+    async def link_oauth_account(
+        account_id: str, provider: str, provider_data: Dict[str, Any]
+    ) -> None:
+        """Link an OAuth account to an existing account"""
+        accounts.update_one(
+            {"_id": account_id},
+            {"$set": {f"oauth_connections.{provider}": {
+                **provider_data,
+                "linked_at": datetime.now().timestamp()
+            }}}
+        )
+
+    @staticmethod
+    async def unlink_oauth_account(account_id: str, provider: str) -> Tuple[bool, Optional[str]]:
+        """Unlink an OAuth account from an existing account"""
+        account = accounts.find_one({"_id": account_id})
+        if not account:
+            return False, "Account not found"
+
+        # Check if account has a password (required to unlink OAuth)
+        if not account.get("password"):
+            return False, "Cannot unlink OAuth - account has no password set"
+
+        # Check if the OAuth connection exists
+        oauth_connections = account.get("oauth_connections", {})
+        if provider not in oauth_connections:
+            return False, f"No {provider} connection found"
+
+        accounts.update_one(
+            {"_id": account_id},
+            {"$unset": {f"oauth_connections.{provider}": ""}}
+        )
+
+        return True, None
+
+    @staticmethod
+    async def create_oauth_account(
+        name: str,
+        email: str,
+        provider: str,
+        provider_data: Dict[str, Any],
+        org: Optional[str] = None
+    ) -> Dict[Any, Any]:
+        """Create a new account from OAuth login"""
+        account = {
+            "_id": str(uuid.uuid4()),
+            "name": name,
+            "emails": [{"address": email, "verified": True, "primary": True}],
+            "password": None,  # OAuth accounts don't have passwords initially
+            "org": org,
+            "sessions": [],
+            "oauth_connections": {
+                provider: {
+                    **provider_data,
+                    "linked_at": datetime.now().timestamp()
+                }
+            }
+        }
+        accounts.insert_one(account)
+        return account