OpenSource
/
dify
Watch 4
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 152 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6446 Commits
4 Branches
Tree: ef51678c73
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ef51678c73'
${ noResults }
dify/api/extensions/ext_login.py

ext_login.py 4.6KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117 
  1. import json

  2. 

  3. import flask_login  # type: ignore

  4. from flask import Response, request

  5. from flask_login import user_loaded_from_request, user_logged_in

  6. from werkzeug.exceptions import NotFound, Unauthorized

  7. 

  8. from configs import dify_config

  9. from dify_app import DifyApp

  10. from extensions.ext_database import db

  11. from libs.passport import PassportService

  12. from models.account import Account, Tenant, TenantAccountJoin

  13. from models.model import AppMCPServer, EndUser

  14. from services.account_service import AccountService

  15. 

  16. login_manager = flask_login.LoginManager()

  17. 

  18. 

  19. # Flask-Login configuration

  20. @login_manager.request_loader

  21. def load_user_from_request(request_from_flask_login):

  22.     """Load user based on the request."""

  23.     auth_header = request.headers.get("Authorization", "")

  24.     auth_token: str | None = None

  25.     if auth_header:

  26.         if " " not in auth_header:

  27.             raise Unauthorized("Invalid Authorization header format. Expected 'Bearer <api-key>' format.")

  28.         auth_scheme, auth_token = auth_header.split(maxsplit=1)

  29.         auth_scheme = auth_scheme.lower()

  30.         if auth_scheme != "bearer":

  31.             raise Unauthorized("Invalid Authorization header format. Expected 'Bearer <api-key>' format.")

  32.     else:

  33.         auth_token = request.args.get("_token")

  34. 

  35.     # Check for admin API key authentication first

  36.     if dify_config.ADMIN_API_KEY_ENABLE and auth_header:

  37.         admin_api_key = dify_config.ADMIN_API_KEY

  38.         if admin_api_key and admin_api_key == auth_token:

  39.             workspace_id = request.headers.get("X-WORKSPACE-ID")

  40.             if workspace_id:

  41.                 tenant_account_join = (

  42.                     db.session.query(Tenant, TenantAccountJoin)

  43.                     .where(Tenant.id == workspace_id)

  44.                     .where(TenantAccountJoin.tenant_id == Tenant.id)

  45.                     .where(TenantAccountJoin.role == "owner")

  46.                     .one_or_none()

  47.                 )

  48.                 if tenant_account_join:

  49.                     tenant, ta = tenant_account_join

  50.                     account = db.session.query(Account).filter_by(id=ta.account_id).first()

  51.                     if account:

  52.                         account.current_tenant = tenant

  53.                         return account

  54. 

  55.     if request.blueprint in {"console", "inner_api"}:

  56.         if not auth_token:

  57.             raise Unauthorized("Invalid Authorization token.")

  58.         decoded = PassportService().verify(auth_token)

  59.         user_id = decoded.get("user_id")

  60.         source = decoded.get("token_source")

  61.         if source:

  62.             raise Unauthorized("Invalid Authorization token.")

  63.         if not user_id:

  64.             raise Unauthorized("Invalid Authorization token.")

  65. 

  66.         logged_in_account = AccountService.load_logged_in_account(account_id=user_id)

  67.         return logged_in_account

  68.     elif request.blueprint == "web":

  69.         decoded = PassportService().verify(auth_token)

  70.         end_user_id = decoded.get("end_user_id")

  71.         if not end_user_id:

  72.             raise Unauthorized("Invalid Authorization token.")

  73.         end_user = db.session.query(EndUser).where(EndUser.id == decoded["end_user_id"]).first()

  74.         if not end_user:

  75.             raise NotFound("End user not found.")

  76.         return end_user

  77.     elif request.blueprint == "mcp":

  78.         server_code = request.view_args.get("server_code") if request.view_args else None

  79.         if not server_code:

  80.             raise Unauthorized("Invalid Authorization token.")

  81.         app_mcp_server = db.session.query(AppMCPServer).where(AppMCPServer.server_code == server_code).first()

  82.         if not app_mcp_server:

  83.             raise NotFound("App MCP server not found.")

  84.         end_user = (

  85.             db.session.query(EndUser)

  86.             .where(EndUser.external_user_id == app_mcp_server.id, EndUser.type == "mcp")

  87.             .first()

  88.         )

  89.         if not end_user:

  90.             raise NotFound("End user not found.")

  91.         return end_user

  92. 

  93. 

  94. @user_logged_in.connect

  95. @user_loaded_from_request.connect

  96. def on_user_logged_in(_sender, user):

  97.     """Called when a user logged in.

  98. 

  99.     Note: AccountService.load_logged_in_account will populate user.current_tenant_id

  100.     through the load_user method, which calls account.set_tenant_id().

  101.     """

  102.     # tenant_id context variable removed - using current_user.current_tenant_id directly

  103.     pass

  104. 

  105. 

  106. @login_manager.unauthorized_handler

  107. def unauthorized_handler():

  108.     """Handle unauthorized requests."""

  109.     return Response(

  110.         json.dumps({"code": "unauthorized", "message": "Unauthorized."}),

  111.         status=401,

  112.         content_type="application/json",

  113.     )

  114. 

  115. 

  116. def init_app(app: DifyApp):

  117.     login_manager.init_app(app)