OpenSource
/
dify
보기 4
좋아요 0
포크 0
코드 이슈 0 풀 리퀘스트 0 릴리즈 152 위키 Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5797 커밋
4 브랜치
트리: d186daa131
브랜치 태그
${ item.name }
Create branch ${ searchTerm }
from 'd186daa131'
${ noResults }
dify/api/controllers/web/wraps.py

wraps.py 4.3KB
Raw Blame 히스토리

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110 
  1. from functools import wraps

  2. 

  3. from flask import request

  4. from flask_restful import Resource

  5. from werkzeug.exceptions import BadRequest, NotFound, Unauthorized

  6. 

  7. from controllers.web.error import WebAppAuthAccessDeniedError, WebAppAuthRequiredError

  8. from extensions.ext_database import db

  9. from libs.passport import PassportService

  10. from models.model import App, EndUser, Site

  11. from services.enterprise.enterprise_service import EnterpriseService

  12. from services.feature_service import FeatureService

  13. 

  14. 

  15. def validate_jwt_token(view=None):

  16.     def decorator(view):

  17.         @wraps(view)

  18.         def decorated(*args, **kwargs):

  19.             app_model, end_user = decode_jwt_token()

  20. 

  21.             return view(app_model, end_user, *args, **kwargs)

  22. 

  23.         return decorated

  24. 

  25.     if view:

  26.         return decorator(view)

  27.     return decorator

  28. 

  29. 

  30. def decode_jwt_token():

  31.     system_features = FeatureService.get_system_features()

  32.     app_code = str(request.headers.get("X-App-Code"))

  33.     try:

  34.         auth_header = request.headers.get("Authorization")

  35.         if auth_header is None:

  36.             raise Unauthorized("Authorization header is missing.")

  37. 

  38.         if " " not in auth_header:

  39.             raise Unauthorized("Invalid Authorization header format. Expected 'Bearer <api-key>' format.")

  40. 

  41.         auth_scheme, tk = auth_header.split(None, 1)

  42.         auth_scheme = auth_scheme.lower()

  43. 

  44.         if auth_scheme != "bearer":

  45.             raise Unauthorized("Invalid Authorization header format. Expected 'Bearer <api-key>' format.")

  46.         decoded = PassportService().verify(tk)

  47.         app_code = decoded.get("app_code")

  48.         app_model = db.session.query(App).filter(App.id == decoded["app_id"]).first()

  49.         site = db.session.query(Site).filter(Site.code == app_code).first()

  50.         if not app_model:

  51.             raise NotFound()

  52.         if not app_code or not site:

  53.             raise BadRequest("Site URL is no longer valid.")

  54.         if app_model.enable_site is False:

  55.             raise BadRequest("Site is disabled.")

  56.         end_user = db.session.query(EndUser).filter(EndUser.id == decoded["end_user_id"]).first()

  57.         if not end_user:

  58.             raise NotFound()

  59. 

  60.         # for enterprise webapp auth

  61.         app_web_auth_enabled = False

  62.         if system_features.webapp_auth.enabled:

  63.             app_web_auth_enabled = (

  64.                 EnterpriseService.WebAppAuth.get_app_access_mode_by_code(app_code=app_code).access_mode != "public"

  65.             )

  66. 

  67.         _validate_webapp_token(decoded, app_web_auth_enabled, system_features.webapp_auth.enabled)

  68.         _validate_user_accessibility(decoded, app_code, app_web_auth_enabled, system_features.webapp_auth.enabled)

  69. 

  70.         return app_model, end_user

  71.     except Unauthorized as e:

  72.         if system_features.webapp_auth.enabled:

  73.             app_web_auth_enabled = (

  74.                 EnterpriseService.WebAppAuth.get_app_access_mode_by_code(app_code=str(app_code)).access_mode != "public"

  75.             )

  76.             if app_web_auth_enabled:

  77.                 raise WebAppAuthRequiredError()

  78. 

  79.         raise Unauthorized(e.description)

  80. 

  81. 

  82. def _validate_webapp_token(decoded, app_web_auth_enabled: bool, system_webapp_auth_enabled: bool):

  83.     # Check if authentication is enforced for web app, and if the token source is not webapp,

  84.     # raise an error and redirect to login

  85.     if system_webapp_auth_enabled and app_web_auth_enabled:

  86.         source = decoded.get("token_source")

  87.         if not source or source != "webapp":

  88.             raise WebAppAuthRequiredError()

  89. 

  90.     # Check if authentication is not enforced for web, and if the token source is webapp,

  91.     # raise an error and redirect to normal passport login

  92.     if not system_webapp_auth_enabled or not app_web_auth_enabled:

  93.         source = decoded.get("token_source")

  94.         if source and source == "webapp":

  95.             raise Unauthorized("webapp token expired.")

  96. 

  97. 

  98. def _validate_user_accessibility(decoded, app_code, app_web_auth_enabled: bool, system_webapp_auth_enabled: bool):

  99.     if system_webapp_auth_enabled and app_web_auth_enabled:

  100.         # Check if the user is allowed to access the web app

  101.         user_id = decoded.get("user_id")

  102.         if not user_id:

  103.             raise WebAppAuthRequiredError()

  104. 

  105.         if not EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(user_id, app_code=app_code):

  106.             raise WebAppAuthAccessDeniedError()

  107. 

  108. 

  109. class WebApiResource(Resource):

  110.     method_decorators = [validate_jwt_token]