Add owhisper-providers and share it in client adapters and proxy server

Cargo.toml

@@ -89,6 +89,7 @@ owhisper-client = { path = "owhisper/owhisper-client", package = "owhisper-clien
 owhisper-config = { path = "owhisper/owhisper-config", package = "owhisper-config" }
 owhisper-interface = { path = "owhisper/owhisper-interface", package = "owhisper-interface" }
 owhisper-model = { path = "owhisper/owhisper-model", package = "owhisper-model" }
+owhisper-providers = { path = "owhisper/owhisper-providers", package = "owhisper-providers" }
 
 tauri = "2.9"
 tauri-build = "2.5"
@@ -165,7 +166,7 @@ clap = "4"
 codes-iso-639 = "0.1.5"
 derive_more = "2"
 dirs = "6.0.0"
-dotenv = "0.15.0"
+dotenvy = "0.15.7"
 include_url_macro = "0.1.0"
 indoc = "2"
 itertools = "0.14.0"
@@ -205,6 +206,7 @@ async-openai = { git = "https://github.com/fastrepl/async-openai", rev = "6404d3
 async-stripe = { version = "0.39.1", default-features = false }
 gbnf-validator = { git = "https://github.com/fastrepl/gbnf-validator", rev = "3dec055" }
 
+jsonwebtoken = { version = "10", features = ["rust_crypto"] }
 sentry = "0.42"
 vergen-gix = "1"
 

apps/stt/Cargo.toml

@@ -9,11 +9,19 @@ path = "src/main.rs"
 
 [dependencies]
 hypr-transcribe-proxy = { workspace = true }
+owhisper-providers = { workspace = true }
 
 axum = { workspace = true, features = ["ws"] }
 tokio = { workspace = true, features = ["rt-multi-thread", "macros", "signal"] }
 tower-http = { workspace = true, features = ["trace"] }
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true, features = ["env-filter"] }
 
+reqwest = { workspace = true, features = ["json"] }
+serde = { workspace = true, features = ["derive"] }
+serde_json = { workspace = true }
+url = { workspace = true }
+
+dotenvy = { workspace = true }
+jsonwebtoken = { workspace = true }
 sentry = { workspace = true }

apps/stt/src/auth.rs

@@ -0,0 +1,136 @@
+use std::sync::Arc;
+use std::time::{Duration, Instant};
+
+use axum::{
+    extract::FromRequestParts,
+    http::{StatusCode, request::Parts},
+};
+use jsonwebtoken::{DecodingKey, Validation, decode, decode_header, jwk::JwkSet};
+use serde::Deserialize;
+use tokio::sync::RwLock;
+
+use crate::env::env;
+
+const ENTITLEMENT_PRO: &str = "hyprnote_pro";
+const JWKS_CACHE_TTL: Duration = Duration::from_secs(5 * 60);
+
+#[derive(Debug, Clone)]
+pub struct AuthUser {
+    pub user_id: String,
+    pub entitlements: Vec<String>,
+}
+
+impl AuthUser {
+    pub fn is_pro(&self) -> bool {
+        self.entitlements.iter().any(|e| e == ENTITLEMENT_PRO)
+    }
+}
+
+#[derive(Debug, Deserialize)]
+struct Claims {
+    sub: String,
+    #[serde(default)]
+    entitlements: Vec<String>,
+}
+
+struct CachedJwks {
+    jwks: JwkSet,
+    fetched_at: Instant,
+}
+
+static JWKS_CACHE: std::sync::OnceLock<Arc<RwLock<Option<CachedJwks>>>> =
+    std::sync::OnceLock::new();
+
+fn jwks_cache() -> &'static Arc<RwLock<Option<CachedJwks>>> {
+    JWKS_CACHE.get_or_init(|| Arc::new(RwLock::new(None)))
+}
+
+async fn get_jwks() -> Result<JwkSet, &'static str> {
+    let cache = jwks_cache();
+
+    {
+        let guard = cache.read().await;
+        if let Some(cached) = guard.as_ref() {
+            if cached.fetched_at.elapsed() < JWKS_CACHE_TTL {
+                return Ok(cached.jwks.clone());
+            }
+        }
+    }
+
+    let env = env();
+    let jwks_url = format!("{}/auth/v1/.well-known/jwks.json", env.supabase_url);
+
+    let jwks: JwkSet = reqwest::get(&jwks_url)
+        .await
+        .map_err(|_| "failed to fetch jwks")?
+        .json()
+        .await
+        .map_err(|_| "failed to parse jwks")?;
+
+    {
+        let mut guard = cache.write().await;
+        *guard = Some(CachedJwks {
+            jwks: jwks.clone(),
+            fetched_at: Instant::now(),
+        });
+    }
+
+    Ok(jwks)
+}
+
+impl<S> FromRequestParts<S> for AuthUser
+where
+    S: Send + Sync,
+{
+    type Rejection = (StatusCode, &'static str);
+
+    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
+        let auth_header = parts
+            .headers
+            .get("authorization")
+            .and_then(|v| v.to_str().ok())
+            .ok_or((StatusCode::UNAUTHORIZED, "missing authorization header"))?;
+
+        let token = auth_header
+            .strip_prefix("Bearer ")
+            .or_else(|| auth_header.strip_prefix("bearer "))
+            .ok_or((StatusCode::UNAUTHORIZED, "invalid authorization header"))?;
+
+        let header =
+            decode_header(token).map_err(|_| (StatusCode::UNAUTHORIZED, "invalid token header"))?;
+
+        let kid = header
+            .kid
+            .as_ref()
+            .ok_or((StatusCode::UNAUTHORIZED, "missing kid in token"))?;
+
+        let jwks = get_jwks()
+            .await
+            .map_err(|e| (StatusCode::INTERNAL_SERVER_ERROR, e))?;
+
+        let jwk = jwks
+            .find(kid)
+            .ok_or((StatusCode::UNAUTHORIZED, "unknown signing key"))?;
+
+        let key = DecodingKey::from_jwk(jwk)
+            .map_err(|_| (StatusCode::UNAUTHORIZED, "invalid signing key"))?;
+
+        let alg = jwk
+            .common
+            .key_algorithm
+            .and_then(|a| a.to_string().parse().ok())
+            .ok_or((StatusCode::UNAUTHORIZED, "unsupported algorithm"))?;
+
+        let mut validation = Validation::new(alg);
+        validation.set_audience(&["authenticated"]);
+        validation.validate_exp = true;
+
+        let token_data = decode::<Claims>(token, &key, &validation)
+            .map_err(|_| (StatusCode::UNAUTHORIZED, "invalid token"))?;
+
+        Ok(AuthUser {
+            user_id: token_data.claims.sub,
+            entitlements: token_data.claims.entitlements,
+        })
+    }
+}

apps/stt/src/env.rs

@@ -0,0 +1,66 @@
+use std::collections::HashMap;
+use std::sync::OnceLock;
+
+use owhisper_providers::Provider;
+
+pub struct Env {
+    pub port: u16,
+    pub sentry_dsn: Option<String>,
+    pub supabase_url: String,
+    api_keys: HashMap<Provider, String>,
+}
+
+static ENV: OnceLock<Env> = OnceLock::new();
+
+pub fn env() -> &'static Env {
+    ENV.get_or_init(|| {
+        let _ = dotenvy::dotenv();
+        Env::from_env()
+    })
+}
+
+impl Env {
+    fn from_env() -> Self {
+        let providers = [
+            Provider::Deepgram,
+            Provider::AssemblyAI,
+            Provider::Soniox,
+            Provider::Fireworks,
+            Provider::OpenAI,
+            Provider::Gladia,
+        ];
+        let api_keys = providers
+            .into_iter()
+            .map(|p| (p, required(p.env_key_name())))
+            .collect();
+
+        Self {
+            port: parse_or("PORT", 3000),
+            sentry_dsn: optional("SENTRY_DSN"),
+            supabase_url: required("SUPABASE_URL"),
+            api_keys,
+        }
+    }
+
+    pub fn api_key_for(&self, provider: Provider) -> String {
+        self.api_keys
+            .get(&provider)
+            .cloned()
+            .unwrap_or_else(|| panic!("{} is not configured", provider.env_key_name()))
+    }
+}
+
+fn required(key: &str) -> String {
+    std::env::var(key).unwrap_or_else(|_| panic!("{key} is required"))
+}
+
+fn optional(key: &str) -> Option<String> {
+    std::env::var(key).ok().filter(|s| !s.is_empty())
+}
+
+fn parse_or<T: std::str::FromStr>(key: &str, default: T) -> T {
+    std::env::var(key)
+        .ok()
+        .and_then(|v| v.parse().ok())
+        .unwrap_or(default)
+}