OpenSource
/
dify
關註 4
收藏 0
複製 0
程式碼 問題管理 0 合併請求 0 版本發佈 152 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6023 Commit
4 分支
目錄樹: 61526c027d
分支列表 標籤列表
${ item.name }
Create branch ${ searchTerm }
from '61526c027d'
${ noResults }
dify/api/controllers/web/forgot_password.py

forgot_password.py 5.5KB
原始文件 Normal View 文件歷史

Feat/webapp verified sso main (#20494)
4 月之前
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147 
  1. import base64

  2. import secrets

  3. 

  4. from flask import request

  5. from flask_restful import Resource, reqparse

  6. from sqlalchemy import select

  7. from sqlalchemy.orm import Session

  8. 

  9. from controllers.console.auth.error import (

  10.     EmailCodeError,

  11.     EmailPasswordResetLimitError,

  12.     InvalidEmailError,

  13.     InvalidTokenError,

  14.     PasswordMismatchError,

  15. )

  16. from controllers.console.error import AccountNotFound, EmailSendIpLimitError

  17. from controllers.console.wraps import email_password_login_enabled, only_edition_enterprise, setup_required

  18. from controllers.web import api

  19. from extensions.ext_database import db

  20. from libs.helper import email, extract_remote_ip

  21. from libs.password import hash_password, valid_password

  22. from models.account import Account

  23. from services.account_service import AccountService

  24. 

  25. 

  26. class ForgotPasswordSendEmailApi(Resource):

  27.     @only_edition_enterprise

  28.     @setup_required

  29.     @email_password_login_enabled

  30.     def post(self):

  31.         parser = reqparse.RequestParser()

  32.         parser.add_argument("email", type=email, required=True, location="json")

  33.         parser.add_argument("language", type=str, required=False, location="json")

  34.         args = parser.parse_args()

  35. 

  36.         ip_address = extract_remote_ip(request)

  37.         if AccountService.is_email_send_ip_limit(ip_address):

  38.             raise EmailSendIpLimitError()

  39. 

  40.         if args["language"] is not None and args["language"] == "zh-Hans":

  41.             language = "zh-Hans"

  42.         else:

  43.             language = "en-US"

  44. 

  45.         with Session(db.engine) as session:

  46.             account = session.execute(select(Account).filter_by(email=args["email"])).scalar_one_or_none()

  47.         token = None

  48.         if account is None:

  49.             raise AccountNotFound()

  50.         else:

  51.             token = AccountService.send_reset_password_email(account=account, email=args["email"], language=language)

  52. 

  53.         return {"result": "success", "data": token}

  54. 

  55. 

  56. class ForgotPasswordCheckApi(Resource):

  57.     @only_edition_enterprise

  58.     @setup_required

  59.     @email_password_login_enabled

  60.     def post(self):

  61.         parser = reqparse.RequestParser()

  62.         parser.add_argument("email", type=str, required=True, location="json")

  63.         parser.add_argument("code", type=str, required=True, location="json")

  64.         parser.add_argument("token", type=str, required=True, nullable=False, location="json")

  65.         args = parser.parse_args()

  66. 

  67.         user_email = args["email"]

  68. 

  69.         is_forgot_password_error_rate_limit = AccountService.is_forgot_password_error_rate_limit(args["email"])

  70.         if is_forgot_password_error_rate_limit:

  71.             raise EmailPasswordResetLimitError()

  72. 

  73.         token_data = AccountService.get_reset_password_data(args["token"])

  74.         if token_data is None:

  75.             raise InvalidTokenError()

  76. 

  77.         if user_email != token_data.get("email"):

  78.             raise InvalidEmailError()

  79. 

  80.         if args["code"] != token_data.get("code"):

  81.             AccountService.add_forgot_password_error_rate_limit(args["email"])

  82.             raise EmailCodeError()

  83. 

  84.         # Verified, revoke the first token

  85.         AccountService.revoke_reset_password_token(args["token"])

  86. 

  87.         # Refresh token data by generating a new token

  88.         _, new_token = AccountService.generate_reset_password_token(

  89.             user_email, code=args["code"], additional_data={"phase": "reset"}

  90.         )

  91. 

  92.         AccountService.reset_forgot_password_error_rate_limit(args["email"])

  93.         return {"is_valid": True, "email": token_data.get("email"), "token": new_token}

  94. 

  95. 

  96. class ForgotPasswordResetApi(Resource):

  97.     @only_edition_enterprise

  98.     @setup_required

  99.     @email_password_login_enabled

  100.     def post(self):

  101.         parser = reqparse.RequestParser()

  102.         parser.add_argument("token", type=str, required=True, nullable=False, location="json")

  103.         parser.add_argument("new_password", type=valid_password, required=True, nullable=False, location="json")

  104.         parser.add_argument("password_confirm", type=valid_password, required=True, nullable=False, location="json")

  105.         args = parser.parse_args()

  106. 

  107.         # Validate passwords match

  108.         if args["new_password"] != args["password_confirm"]:

  109.             raise PasswordMismatchError()

  110. 

  111.         # Validate token and get reset data

  112.         reset_data = AccountService.get_reset_password_data(args["token"])

  113.         if not reset_data:

  114.             raise InvalidTokenError()

  115.         # Must use token in reset phase

  116.         if reset_data.get("phase", "") != "reset":

  117.             raise InvalidTokenError()

  118. 

  119.         # Revoke token to prevent reuse

  120.         AccountService.revoke_reset_password_token(args["token"])

  121. 

  122.         # Generate secure salt and hash password

  123.         salt = secrets.token_bytes(16)

  124.         password_hashed = hash_password(args["new_password"], salt)

  125. 

  126.         email = reset_data.get("email", "")

  127. 

  128.         with Session(db.engine) as session:

  129.             account = session.execute(select(Account).filter_by(email=email)).scalar_one_or_none()

  130. 

  131.             if account:

  132.                 self._update_existing_account(account, password_hashed, salt, session)

  133.             else:

  134.                 raise AccountNotFound()

  135. 

  136.         return {"result": "success"}

  137. 

  138.     def _update_existing_account(self, account, password_hashed, salt, session):

  139.         # Update existing account credentials

  140.         account.password = base64.b64encode(password_hashed).decode()

  141.         account.password_salt = base64.b64encode(salt).decode()

  142.         session.commit()

  143. 

  144. 

  145. api.add_resource(ForgotPasswordSendEmailApi, "/forgot-password")

  146. api.add_resource(ForgotPasswordCheckApi, "/forgot-password/validity")

  147. api.add_resource(ForgotPasswordResetApi, "/forgot-password/resets")