OpenSource
/
dify
關註 4
收藏 0
複製 0
程式碼 問題管理 0 合併請求 0 版本發佈 152 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7078 Commit
4 分支
目錄樹: a9c7669c16
分支列表 標籤列表
${ item.name }
Create branch ${ searchTerm }
from 'a9c7669c16'
${ noResults }
dify/api/controllers/console/auth/oauth_server.py

oauth_server.py 7.5KB
原始文件 Blame 文件歷史

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202 
  1. from functools import wraps

  2. from typing import cast

  3. 

  4. import flask_login

  5. from flask import jsonify, request

  6. from flask_restx import Resource, reqparse

  7. from werkzeug.exceptions import BadRequest, NotFound

  8. 

  9. from controllers.console.wraps import account_initialization_required, setup_required

  10. from core.model_runtime.utils.encoders import jsonable_encoder

  11. from libs.login import login_required

  12. from models.account import Account

  13. from models.model import OAuthProviderApp

  14. from services.oauth_server import OAUTH_ACCESS_TOKEN_EXPIRES_IN, OAuthGrantType, OAuthServerService

  15. 

  16. from .. import api

  17. 

  18. 

  19. def oauth_server_client_id_required(view):

  20.     @wraps(view)

  21.     def decorated(*args, **kwargs):

  22.         parser = reqparse.RequestParser()

  23.         parser.add_argument("client_id", type=str, required=True, location="json")

  24.         parsed_args = parser.parse_args()

  25.         client_id = parsed_args.get("client_id")

  26.         if not client_id:

  27.             raise BadRequest("client_id is required")

  28. 

  29.         oauth_provider_app = OAuthServerService.get_oauth_provider_app(client_id)

  30.         if not oauth_provider_app:

  31.             raise NotFound("client_id is invalid")

  32. 

  33.         kwargs["oauth_provider_app"] = oauth_provider_app

  34. 

  35.         return view(*args, **kwargs)

  36. 

  37.     return decorated

  38. 

  39. 

  40. def oauth_server_access_token_required(view):

  41.     @wraps(view)

  42.     def decorated(*args, **kwargs):

  43.         oauth_provider_app = kwargs.get("oauth_provider_app")

  44.         if not oauth_provider_app or not isinstance(oauth_provider_app, OAuthProviderApp):

  45.             raise BadRequest("Invalid oauth_provider_app")

  46. 

  47.         authorization_header = request.headers.get("Authorization")

  48.         if not authorization_header:

  49.             response = jsonify({"error": "Authorization header is required"})

  50.             response.status_code = 401

  51.             response.headers["WWW-Authenticate"] = "Bearer"

  52.             return response

  53. 

  54.         parts = authorization_header.strip().split(None, 1)

  55.         if len(parts) != 2:

  56.             response = jsonify({"error": "Invalid Authorization header format"})

  57.             response.status_code = 401

  58.             response.headers["WWW-Authenticate"] = "Bearer"

  59.             return response

  60. 

  61.         token_type = parts[0].strip()

  62.         if token_type.lower() != "bearer":

  63.             response = jsonify({"error": "token_type is invalid"})

  64.             response.status_code = 401

  65.             response.headers["WWW-Authenticate"] = "Bearer"

  66.             return response

  67. 

  68.         access_token = parts[1].strip()

  69.         if not access_token:

  70.             response = jsonify({"error": "access_token is required"})

  71.             response.status_code = 401

  72.             response.headers["WWW-Authenticate"] = "Bearer"

  73.             return response

  74. 

  75.         account = OAuthServerService.validate_oauth_access_token(oauth_provider_app.client_id, access_token)

  76.         if not account:

  77.             response = jsonify({"error": "access_token or client_id is invalid"})

  78.             response.status_code = 401

  79.             response.headers["WWW-Authenticate"] = "Bearer"

  80.             return response

  81. 

  82.         kwargs["account"] = account

  83. 

  84.         return view(*args, **kwargs)

  85. 

  86.     return decorated

  87. 

  88. 

  89. class OAuthServerAppApi(Resource):

  90.     @setup_required

  91.     @oauth_server_client_id_required

  92.     def post(self, oauth_provider_app: OAuthProviderApp):

  93.         parser = reqparse.RequestParser()

  94.         parser.add_argument("redirect_uri", type=str, required=True, location="json")

  95.         parsed_args = parser.parse_args()

  96.         redirect_uri = parsed_args.get("redirect_uri")

  97. 

  98.         # check if redirect_uri is valid

  99.         if redirect_uri not in oauth_provider_app.redirect_uris:

  100.             raise BadRequest("redirect_uri is invalid")

  101. 

  102.         return jsonable_encoder(

  103.             {

  104.                 "app_icon": oauth_provider_app.app_icon,

  105.                 "app_label": oauth_provider_app.app_label,

  106.                 "scope": oauth_provider_app.scope,

  107.             }

  108.         )

  109. 

  110. 

  111. class OAuthServerUserAuthorizeApi(Resource):

  112.     @setup_required

  113.     @login_required

  114.     @account_initialization_required

  115.     @oauth_server_client_id_required

  116.     def post(self, oauth_provider_app: OAuthProviderApp):

  117.         account = cast(Account, flask_login.current_user)

  118.         user_account_id = account.id

  119. 

  120.         code = OAuthServerService.sign_oauth_authorization_code(oauth_provider_app.client_id, user_account_id)

  121.         return jsonable_encoder(

  122.             {

  123.                 "code": code,

  124.             }

  125.         )

  126. 

  127. 

  128. class OAuthServerUserTokenApi(Resource):

  129.     @setup_required

  130.     @oauth_server_client_id_required

  131.     def post(self, oauth_provider_app: OAuthProviderApp):

  132.         parser = reqparse.RequestParser()

  133.         parser.add_argument("grant_type", type=str, required=True, location="json")

  134.         parser.add_argument("code", type=str, required=False, location="json")

  135.         parser.add_argument("client_secret", type=str, required=False, location="json")

  136.         parser.add_argument("redirect_uri", type=str, required=False, location="json")

  137.         parser.add_argument("refresh_token", type=str, required=False, location="json")

  138.         parsed_args = parser.parse_args()

  139. 

  140.         try:

  141.             grant_type = OAuthGrantType(parsed_args["grant_type"])

  142.         except ValueError:

  143.             raise BadRequest("invalid grant_type")

  144. 

  145.         if grant_type == OAuthGrantType.AUTHORIZATION_CODE:

  146.             if not parsed_args["code"]:

  147.                 raise BadRequest("code is required")

  148. 

  149.             if parsed_args["client_secret"] != oauth_provider_app.client_secret:

  150.                 raise BadRequest("client_secret is invalid")

  151. 

  152.             if parsed_args["redirect_uri"] not in oauth_provider_app.redirect_uris:

  153.                 raise BadRequest("redirect_uri is invalid")

  154. 

  155.             access_token, refresh_token = OAuthServerService.sign_oauth_access_token(

  156.                 grant_type, code=parsed_args["code"], client_id=oauth_provider_app.client_id

  157.             )

  158.             return jsonable_encoder(

  159.                 {

  160.                     "access_token": access_token,

  161.                     "token_type": "Bearer",

  162.                     "expires_in": OAUTH_ACCESS_TOKEN_EXPIRES_IN,

  163.                     "refresh_token": refresh_token,

  164.                 }

  165.             )

  166.         elif grant_type == OAuthGrantType.REFRESH_TOKEN:

  167.             if not parsed_args["refresh_token"]:

  168.                 raise BadRequest("refresh_token is required")

  169. 

  170.             access_token, refresh_token = OAuthServerService.sign_oauth_access_token(

  171.                 grant_type, refresh_token=parsed_args["refresh_token"], client_id=oauth_provider_app.client_id

  172.             )

  173.             return jsonable_encoder(

  174.                 {

  175.                     "access_token": access_token,

  176.                     "token_type": "Bearer",

  177.                     "expires_in": OAUTH_ACCESS_TOKEN_EXPIRES_IN,

  178.                     "refresh_token": refresh_token,

  179.                 }

  180.             )

  181. 

  182. 

  183. class OAuthServerUserAccountApi(Resource):

  184.     @setup_required

  185.     @oauth_server_client_id_required

  186.     @oauth_server_access_token_required

  187.     def post(self, oauth_provider_app: OAuthProviderApp, account: Account):

  188.         return jsonable_encoder(

  189.             {

  190.                 "name": account.name,

  191.                 "email": account.email,

  192.                 "avatar": account.avatar,

  193.                 "interface_language": account.interface_language,

  194.                 "timezone": account.timezone,

  195.             }

  196.         )

  197. 

  198. 

  199. api.add_resource(OAuthServerAppApi, "/oauth/provider")

  200. api.add_resource(OAuthServerUserAuthorizeApi, "/oauth/provider/authorize")

  201. api.add_resource(OAuthServerUserTokenApi, "/oauth/provider/token")

  202. api.add_resource(OAuthServerUserAccountApi, "/oauth/provider/account")