OpenSource
/
dify
Следить 4
В избранное 0
Форкнуть 0
Код Задачи 0 Pull Request'ы 0 Релизы 152 Вики Активность
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.
6118 коммитов
4 Ветки
Дерево: 164e5481c5
Ветки Теги
${ item.name }
Создать ветку ${ searchTerm }
из '164e5481c5'
${ noResults }
dify/api/services/plugin/oauth_service.py

oauth_service.py 2.2KB
Исходник Blame История

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061 
  1. import json

  2. import uuid

  3. 

  4. from core.plugin.impl.base import BasePluginClient

  5. from extensions.ext_redis import redis_client

  6. 

  7. 

  8. class OAuthProxyService(BasePluginClient):

  9.     # Default max age for proxy context parameter in seconds

  10.     __MAX_AGE__ = 5 * 60  # 5 minutes

  11. 

  12.     @staticmethod

  13.     def create_proxy_context(user_id, tenant_id, plugin_id, provider):

  14.         """

  15.         Create a proxy context for an OAuth 2.0 authorization request.

  16. 

  17.         This parameter is a crucial security measure to prevent Cross-Site Request

  18.         Forgery (CSRF) attacks. It works by generating a unique nonce and storing it

  19.         in a distributed cache (Redis) along with the user's session context.

  20. 

  21.         The returned nonce should be included as the 'proxy_context' parameter in the

  22.         authorization URL. Upon callback, the `use_proxy_context` method

  23.         is used to verify the state, ensuring the request's integrity and authenticity,

  24.         and mitigating replay attacks.

  25.         """

  26.         seconds, _ = redis_client.time()

  27.         context_id = str(uuid.uuid4())

  28.         data = {

  29.             "user_id": user_id,

  30.             "plugin_id": plugin_id,

  31.             "tenant_id": tenant_id,

  32.             "provider": provider,

  33.             # encode redis time to avoid distribution time skew

  34.             "timestamp": seconds,

  35.         }

  36.         # ignore nonce collision

  37.         redis_client.setex(

  38.             f"oauth_proxy_context:{context_id}",

  39.             OAuthProxyService.__MAX_AGE__,

  40.             json.dumps(data),

  41.         )

  42.         return context_id

  43. 

  44.     @staticmethod

  45.     def use_proxy_context(context_id, max_age=__MAX_AGE__):

  46.         """

  47.         Validate the proxy context parameter.

  48.         This checks if the context_id is valid and not expired.

  49.         """

  50.         if not context_id:

  51.             raise ValueError("context_id is required")

  52.         # get data from redis

  53.         data = redis_client.getdel(f"oauth_proxy_context:{context_id}")

  54.         if not data:

  55.             raise ValueError("context_id is invalid")

  56.         # check if data is expired

  57.         seconds, _ = redis_client.time()

  58.         state = json.loads(data)

  59.         if state.get("timestamp") < seconds - max_age:

  60.             raise ValueError("context_id is expired")

  61.         return state