Add API tokens and OAuth2 client support for external integrations

- Personal API tokens (model, user-settings UI, admin, management command,
  DRF auth class) for non-interactive API access from automations like n8n.
  Raw token shown once; only a SHA-256 hash is stored; last_used_at writes
  are throttled.
- OAuth2 authorization server via django-oauth-toolkit with authorization
  server metadata and optional, off-by-default Dynamic Client Registration
  (RFC 7591), so remote OAuth/MCP clients can authenticate and self-register.
- Tests for token auth, DCR gating and the management commands, plus
  .env.example and README documentation.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
obervinov
2026-06-24 19:15:31 +04:00
parent 9641e169f2
commit 4273c541c5
23 changed files with 1505 additions and 6 deletions
+18
View File
@@ -38,3 +38,21 @@ TASK_WORKERS=1 # This only work if you're using the single container option. Inc
#OIDC_CLIENT_SECRET=""
#OIDC_SERVER_URL=""
#OIDC_ALLOW_SIGNUP=true
# Personal access tokens. How often (seconds) a token's last_used_at is rewritten.
#API_TOKEN_LAST_USED_UPDATE_INTERVAL=600
# MCP OAuth Application. Uncomment to auto-create/update the OAuth client
# used by remote MCP integrations after migrations complete.
#MCP_OAUTH_CLIENT_NAME="WYGIWYH MCP"
#MCP_OAUTH_CLIENT_ID="mcp-wygiwyh"
#MCP_OAUTH_CLIENT_SECRET="<INSERT A SAFE SECRET HERE>"
#MCP_OAUTH_REDIRECT_URIS="http://127.0.0.1:8765/callback"
#MCP_OAUTH_SKIP_AUTHORIZATION=false
# Dynamic Client Registration (RFC 7591). Disabled by default because an open
# registration endpoint lets anyone create OAuth applications. Enable only if
# remote MCP clients must self-register, and optionally require an initial
# access token (sent as "Authorization: Bearer <token>" on /oauth/register/).
#OAUTH2_DCR_ENABLED=false
#OAUTH2_DCR_INITIAL_ACCESS_TOKEN=""