OpenSource
/
dify
Volgen 4
Ster 0
Vork 0
Code Kwesties 0 Pull-aanvragen 0 Publicaties 152 Wiki Activiteit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6441 Commits
4 Branches
Branch: Hacked_1.7.0
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van 'Hacked_1.7.0'
${ noResults }
dify/api/controllers/web/wraps.py

wraps.py 6.0KB
Ruw Permalink Blame Geschiedenis

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146 
  1. from datetime import UTC, datetime

  2. from functools import wraps

  3. 

  4. from flask import request

  5. from flask_restful import Resource

  6. from werkzeug.exceptions import BadRequest, NotFound, Unauthorized

  7. 

  8. from controllers.web.error import WebAppAuthAccessDeniedError, WebAppAuthRequiredError

  9. from extensions.ext_database import db

  10. from libs.passport import PassportService

  11. from models.model import App, EndUser, Site

  12. from services.enterprise.enterprise_service import EnterpriseService, WebAppSettings

  13. from services.feature_service import FeatureService

  14. from services.webapp_auth_service import WebAppAuthService

  15. 

  16. 

  17. def validate_jwt_token(view=None):

  18.     def decorator(view):

  19.         @wraps(view)

  20.         def decorated(*args, **kwargs):

  21.             app_model, end_user = decode_jwt_token()

  22. 

  23.             return view(app_model, end_user, *args, **kwargs)

  24. 

  25.         return decorated

  26. 

  27.     if view:

  28.         return decorator(view)

  29.     return decorator

  30. 

  31. 

  32. def decode_jwt_token():

  33.     system_features = FeatureService.get_system_features()

  34.     app_code = str(request.headers.get("X-App-Code"))

  35.     try:

  36.         auth_header = request.headers.get("Authorization")

  37.         if auth_header is None:

  38.             raise Unauthorized("Authorization header is missing.")

  39. 

  40.         if " " not in auth_header:

  41.             raise Unauthorized("Invalid Authorization header format. Expected 'Bearer <api-key>' format.")

  42. 

  43.         auth_scheme, tk = auth_header.split(None, 1)

  44.         auth_scheme = auth_scheme.lower()

  45. 

  46.         if auth_scheme != "bearer":

  47.             raise Unauthorized("Invalid Authorization header format. Expected 'Bearer <api-key>' format.")

  48.         decoded = PassportService().verify(tk)

  49.         app_code = decoded.get("app_code")

  50.         app_id = decoded.get("app_id")

  51.         app_model = db.session.query(App).filter(App.id == app_id).first()

  52.         site = db.session.query(Site).filter(Site.code == app_code).first()

  53.         if not app_model:

  54.             raise NotFound()

  55.         if not app_code or not site:

  56.             raise BadRequest("Site URL is no longer valid.")

  57.         if app_model.enable_site is False:

  58.             raise BadRequest("Site is disabled.")

  59.         end_user_id = decoded.get("end_user_id")

  60.         end_user = db.session.query(EndUser).filter(EndUser.id == end_user_id).first()

  61.         if not end_user:

  62.             raise NotFound()

  63. 

  64.         # for enterprise webapp auth

  65.         app_web_auth_enabled = False

  66.         webapp_settings = None

  67.         if system_features.webapp_auth.enabled:

  68.             webapp_settings = EnterpriseService.WebAppAuth.get_app_access_mode_by_code(app_code=app_code)

  69.             if not webapp_settings:

  70.                 raise NotFound("Web app settings not found.")

  71.             app_web_auth_enabled = webapp_settings.access_mode != "public"

  72. 

  73.         _validate_webapp_token(decoded, app_web_auth_enabled, system_features.webapp_auth.enabled)

  74.         _validate_user_accessibility(

  75.             decoded, app_code, app_web_auth_enabled, system_features.webapp_auth.enabled, webapp_settings

  76.         )

  77. 

  78.         return app_model, end_user

  79.     except Unauthorized as e:

  80.         if system_features.webapp_auth.enabled:

  81.             if not app_code:

  82.                 raise Unauthorized("Please re-login to access the web app.")

  83.             app_web_auth_enabled = (

  84.                 EnterpriseService.WebAppAuth.get_app_access_mode_by_code(app_code=str(app_code)).access_mode != "public"

  85.             )

  86.             if app_web_auth_enabled:

  87.                 raise WebAppAuthRequiredError()

  88. 

  89.         raise Unauthorized(e.description)

  90. 

  91. 

  92. def _validate_webapp_token(decoded, app_web_auth_enabled: bool, system_webapp_auth_enabled: bool):

  93.     # Check if authentication is enforced for web app, and if the token source is not webapp,

  94.     # raise an error and redirect to login

  95.     if system_webapp_auth_enabled and app_web_auth_enabled:

  96.         source = decoded.get("token_source")

  97.         if not source or source != "webapp":

  98.             raise WebAppAuthRequiredError()

  99. 

  100.     # Check if authentication is not enforced for web, and if the token source is webapp,

  101.     # raise an error and redirect to normal passport login

  102.     if not system_webapp_auth_enabled or not app_web_auth_enabled:

  103.         source = decoded.get("token_source")

  104.         if source and source == "webapp":

  105.             raise Unauthorized("webapp token expired.")

  106. 

  107. 

  108. def _validate_user_accessibility(

  109.     decoded,

  110.     app_code,

  111.     app_web_auth_enabled: bool,

  112.     system_webapp_auth_enabled: bool,

  113.     webapp_settings: WebAppSettings | None,

  114. ):

  115.     if system_webapp_auth_enabled and app_web_auth_enabled:

  116.         # Check if the user is allowed to access the web app

  117.         user_id = decoded.get("user_id")

  118.         if not user_id:

  119.             raise WebAppAuthRequiredError()

  120. 

  121.         if not webapp_settings:

  122.             raise WebAppAuthRequiredError("Web app settings not found.")

  123. 

  124.         if WebAppAuthService.is_app_require_permission_check(access_mode=webapp_settings.access_mode):

  125.             if not EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(user_id, app_code=app_code):

  126.                 raise WebAppAuthAccessDeniedError()

  127. 

  128.         auth_type = decoded.get("auth_type")

  129.         granted_at = decoded.get("granted_at")

  130.         if not auth_type:

  131.             raise WebAppAuthAccessDeniedError("Missing auth_type in the token.")

  132.         if not granted_at:

  133.             raise WebAppAuthAccessDeniedError("Missing granted_at in the token.")

  134.         # check if sso has been updated

  135.         if auth_type == "external":

  136.             last_update_time = EnterpriseService.get_app_sso_settings_last_update_time()

  137.             if granted_at and datetime.fromtimestamp(granted_at, tz=UTC) < last_update_time:

  138.                 raise WebAppAuthAccessDeniedError("SSO settings have been updated. Please re-login.")

  139.         elif auth_type == "internal":

  140.             last_update_time = EnterpriseService.get_workspace_sso_settings_last_update_time()

  141.             if granted_at and datetime.fromtimestamp(granted_at, tz=UTC) < last_update_time:

  142.                 raise WebAppAuthAccessDeniedError("SSO settings have been updated. Please re-login.")

  143. 

  144. 

  145. class WebApiResource(Resource):

  146.     method_decorators = [validate_jwt_token]