refactor: replace localStorage with HTTP-only cookies for auth tokens (#24365)

Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Signed-off-by: lyzno1 <yuanyouhuilyz@gmail.com> Signed-off-by: kenwoodjw <blackxin55+@gmail.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Yunlu Wen <wylswz@163.com> Co-authored-by: Joel <iamjoel007@gmail.com> Co-authored-by: GareArc <chen4851@purdue.edu> Co-authored-by: NFish <douxc512@gmail.com> Co-authored-by: Davide Delbianco <davide.delbianco@outlook.com> Co-authored-by: minglu7 <1347866672@qq.com> Co-authored-by: Ponder <ruan.lj@foxmail.com> Co-authored-by: crazywoola <100913391+crazywoola@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: heyszt <270985384@qq.com> Co-authored-by: Asuka Minato <i@asukaminato.eu.org> Co-authored-by: Guangdong Liu <liugddx@gmail.com> Co-authored-by: Eric Guo <eric.guocz@gmail.com> Co-authored-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Co-authored-by: XlKsyt <caixuesen@outlook.com> Co-authored-by: Dhruv Gorasiya <80987415+DhruvGorasiya@users.noreply.github.com> Co-authored-by: crazywoola <427733928@qq.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: lyzno1 <92089059+lyzno1@users.noreply.github.com> Co-authored-by: hj24 <mambahj24@gmail.com> Co-authored-by: GuanMu <ballmanjq@gmail.com> Co-authored-by: 非法操作 <hjlarry@163.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Tonlo <123lzs123@gmail.com> Co-authored-by: Yusuke Yamada <yamachu.dev@gmail.com> Co-authored-by: Novice <novice12185727@gmail.com> Co-authored-by: kenwoodjw <blackxin55+@gmail.com> Co-authored-by: Ademílson Tonato <ademilsonft@outlook.com> Co-authored-by: znn <jubinkumarsoni@gmail.com> Co-authored-by: yangzheli <43645580+yangzheli@users.noreply.github.com>
2025-10-19 21:29:04 +08:00
parent 141ca8904a
commit 9a5f214623
60 changed files with 879 additions and 533 deletions
--- a/api/controllers/web/app.py
+++ b/api/controllers/web/app.py
@@ -4,12 +4,14 @@ from flask import request
 from flask_restx import Resource, marshal_with, reqparse
 from werkzeug.exceptions import Unauthorized

+from constants import HEADER_NAME_APP_CODE
 from controllers.common import fields
 from controllers.web import web_ns
 from controllers.web.error import AppUnavailableError
 from controllers.web.wraps import WebApiResource
 from core.app.app_config.common.parameters_mapping import get_parameters_from_feature_dict
 from libs.passport import PassportService
+from libs.token import extract_webapp_passport
 from models.model import App, AppMode
 from services.app_service import AppService
 from services.enterprise.enterprise_service import EnterpriseService
@@ -133,18 +135,19 @@ class AppWebAuthPermission(Resource):
    )
    def get(self):
        user_id = "visitor"
+        app_code = request.headers.get(HEADER_NAME_APP_CODE)
+        app_id = request.args.get("appId")
+        if not app_id or not app_code:
+            raise ValueError("appId must be provided")
+
+        require_permission_check = WebAppAuthService.is_app_require_permission_check(app_id=app_id)
+        if not require_permission_check:
+            return {"result": True}
+
        try:
-            auth_header = request.headers.get("Authorization")
-            if auth_header is None:
-                raise Unauthorized("Authorization header is missing.")
-            if " " not in auth_header:
-                raise Unauthorized("Invalid Authorization header format. Expected 'Bearer <api-key>' format.")
-
-            auth_scheme, tk = auth_header.split(None, 1)
-            auth_scheme = auth_scheme.lower()
-            if auth_scheme != "bearer":
-                raise Unauthorized("Authorization scheme must be 'Bearer'")
-
+            tk = extract_webapp_passport(app_code, request)
+            if not tk:
+                raise Unauthorized("Access token is missing.")
            decoded = PassportService().verify(tk)
            user_id = decoded.get("user_id", "visitor")
        except Unauthorized:
@@ -157,13 +160,7 @@ class AppWebAuthPermission(Resource):
        if not features.webapp_auth.enabled:
            return {"result": True}

-        parser = reqparse.RequestParser().add_argument("appId", type=str, required=True, location="args")
-        args = parser.parse_args()
-
-        app_id = args["appId"]
-        app_code = AppService.get_app_code_by_id(app_id)
-
        res = True
        if WebAppAuthService.is_app_require_permission_check(app_id=app_id):
-            res = EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(str(user_id), app_code)
+            res = EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(str(user_id), app_id)
        return {"result": res}
--- a/api/controllers/web/login.py
+++ b/api/controllers/web/login.py
@@ -1,7 +1,9 @@
+from flask import make_response, request
 from flask_restx import Resource, reqparse
 from jwt import InvalidTokenError

 import services
+from configs import dify_config
 from controllers.console.auth.error import (
    AuthenticationFailedError,
    EmailCodeError,
@@ -10,9 +12,16 @@ from controllers.console.auth.error import (
 from controllers.console.error import AccountBannedError
 from controllers.console.wraps import only_edition_enterprise, setup_required
 from controllers.web import web_ns
+from controllers.web.wraps import decode_jwt_token
 from libs.helper import email
+from libs.passport import PassportService
 from libs.password import valid_password
+from libs.token import (
+    clear_access_token_from_cookie,
+    extract_access_token,
+)
 from services.account_service import AccountService
+from services.app_service import AppService
 from services.webapp_auth_service import WebAppAuthService


@@ -52,17 +61,75 @@ class LoginApi(Resource):
            raise AuthenticationFailedError()

        token = WebAppAuthService.login(account=account)
-        return {"result": "success", "data": {"access_token": token}}
+        response = make_response({"result": "success", "data": {"access_token": token}})
+        # set_access_token_to_cookie(request, response, token, samesite="None", httponly=False)
+        return response


-# class LogoutApi(Resource):
-#     @setup_required
-#     def get(self):
-#         account = cast(Account, flask_login.current_user)
-#         if isinstance(account, flask_login.AnonymousUserMixin):
-#             return {"result": "success"}
-#         flask_login.logout_user()
-#         return {"result": "success"}
+# this api helps frontend to check whether user is authenticated
+# TODO: remove in the future. frontend should redirect to login page by catching 401 status
+@web_ns.route("/login/status")
+class LoginStatusApi(Resource):
+    @setup_required
+    @web_ns.doc("web_app_login_status")
+    @web_ns.doc(description="Check login status")
+    @web_ns.doc(
+        responses={
+            200: "Login status",
+            401: "Login status",
+        }
+    )
+    def get(self):
+        app_code = request.args.get("app_code")
+        token = extract_access_token(request)
+        if not app_code:
+            return {
+                "logged_in": bool(token),
+                "app_logged_in": False,
+            }
+        app_id = AppService.get_app_id_by_code(app_code)
+        is_public = not dify_config.ENTERPRISE_ENABLED or not WebAppAuthService.is_app_require_permission_check(
+            app_id=app_id
+        )
+        user_logged_in = False
+
+        if is_public:
+            user_logged_in = True
+        else:
+            try:
+                PassportService().verify(token=token)
+                user_logged_in = True
+            except Exception:
+                user_logged_in = False
+
+        try:
+            _ = decode_jwt_token(app_code=app_code)
+            app_logged_in = True
+        except Exception:
+            app_logged_in = False
+
+        return {
+            "logged_in": user_logged_in,
+            "app_logged_in": app_logged_in,
+        }
+
+
+@web_ns.route("/logout")
+class LogoutApi(Resource):
+    @setup_required
+    @web_ns.doc("web_app_logout")
+    @web_ns.doc(description="Logout user from web application")
+    @web_ns.doc(
+        responses={
+            200: "Logout successful",
+        }
+    )
+    def post(self):
+        response = make_response({"result": "success"})
+        # enterprise SSO sets same site to None in https deployment
+        # so we need to logout by calling api
+        clear_access_token_from_cookie(response, samesite="None")
+        return response


@web_ns.route("/email-code-login")
@@ -96,7 +163,6 @@ class EmailCodeLoginSendEmailApi(Resource):
            raise AuthenticationFailedError()
        else:
            token = WebAppAuthService.send_email_code_login_email(account=account, language=language)
-
        return {"result": "success", "data": token}


@@ -142,4 +208,6 @@ class EmailCodeLoginApi(Resource):

        token = WebAppAuthService.login(account=account)
        AccountService.reset_login_error_rate_limit(args["email"])
-        return {"result": "success", "data": {"access_token": token}}
+        response = make_response({"result": "success", "data": {"access_token": token}})
+        # set_access_token_to_cookie(request, response, token, samesite="None", httponly=False)
+        return response
--- a/api/controllers/web/passport.py
+++ b/api/controllers/web/passport.py
@@ -1,17 +1,20 @@
 import uuid
 from datetime import UTC, datetime, timedelta

-from flask import request
+from flask import make_response, request
 from flask_restx import Resource
 from sqlalchemy import func, select
 from werkzeug.exceptions import NotFound, Unauthorized

 from configs import dify_config
+from constants import HEADER_NAME_APP_CODE
 from controllers.web import web_ns
 from controllers.web.error import WebAppAuthRequiredError
 from extensions.ext_database import db
 from libs.passport import PassportService
+from libs.token import extract_access_token
 from models.model import App, EndUser, Site
+from services.app_service import AppService
 from services.enterprise.enterprise_service import EnterpriseService
 from services.feature_service import FeatureService
 from services.webapp_auth_service import WebAppAuthService, WebAppAuthType
@@ -32,15 +35,15 @@ class PassportResource(Resource):
    )
    def get(self):
        system_features = FeatureService.get_system_features()
-        app_code = request.headers.get("X-App-Code")
+        app_code = request.headers.get(HEADER_NAME_APP_CODE)
        user_id = request.args.get("user_id")
-        web_app_access_token = request.args.get("web_app_access_token")
+        access_token = extract_access_token(request)

        if app_code is None:
            raise Unauthorized("X-App-Code header is missing.")
-
+        app_id = AppService.get_app_id_by_code(app_code)
        # exchange token for enterprise logined web user
-        enterprise_user_decoded = decode_enterprise_webapp_user_id(web_app_access_token)
+        enterprise_user_decoded = decode_enterprise_webapp_user_id(access_token)
        if enterprise_user_decoded:
            # a web user has already logged in, exchange a token for this app without redirecting to the login page
            return exchange_token_for_existing_web_user(
@@ -48,7 +51,7 @@ class PassportResource(Resource):
            )

        if system_features.webapp_auth.enabled:
-            app_settings = EnterpriseService.WebAppAuth.get_app_access_mode_by_code(app_code=app_code)
+            app_settings = EnterpriseService.WebAppAuth.get_app_access_mode_by_id(app_id=app_id)
            if not app_settings or not app_settings.access_mode == "public":
                raise WebAppAuthRequiredError()

@@ -99,9 +102,12 @@ class PassportResource(Resource):

        tk = PassportService().issue(payload)

-        return {
-            "access_token": tk,
-        }
+        response = make_response(
+            {
+                "access_token": tk,
+            }
+        )
+        return response


 def decode_enterprise_webapp_user_id(jwt_token: str | None):
@@ -189,9 +195,12 @@ def exchange_token_for_existing_web_user(app_code: str, enterprise_user_decoded:
        "exp": exp,
    }
    token: str = PassportService().issue(payload)
-    return {
-        "access_token": token,
-    }
+    resp = make_response(
+        {
+            "access_token": token,
+        }
+    )
+    return resp


 def _exchange_for_public_app_token(app_model, site, token_decoded):
@@ -224,9 +233,12 @@ def _exchange_for_public_app_token(app_model, site, token_decoded):

    tk = PassportService().issue(payload)

-    return {
-        "access_token": tk,
-    }
+    resp = make_response(
+        {
+            "access_token": tk,
+        }
+    )
+    return resp


 def generate_session_id():
--- a/api/controllers/web/wraps.py
+++ b/api/controllers/web/wraps.py
@@ -9,10 +9,13 @@ from sqlalchemy import select
 from sqlalchemy.orm import Session
 from werkzeug.exceptions import BadRequest, NotFound, Unauthorized

+from constants import HEADER_NAME_APP_CODE
 from controllers.web.error import WebAppAuthAccessDeniedError, WebAppAuthRequiredError
 from extensions.ext_database import db
 from libs.passport import PassportService
+from libs.token import extract_webapp_passport
 from models.model import App, EndUser, Site
+from services.app_service import AppService
 from services.enterprise.enterprise_service import EnterpriseService, WebAppSettings
 from services.feature_service import FeatureService
 from services.webapp_auth_service import WebAppAuthService
@@ -35,22 +38,14 @@ def validate_jwt_token(view: Callable[Concatenate[App, EndUser, P], R] | None =
    return decorator


-def decode_jwt_token():
+def decode_jwt_token(app_code: str | None = None):
    system_features = FeatureService.get_system_features()
-    app_code = str(request.headers.get("X-App-Code"))
+    if not app_code:
+        app_code = str(request.headers.get(HEADER_NAME_APP_CODE))
    try:
-        auth_header = request.headers.get("Authorization")
-        if auth_header is None:
-            raise Unauthorized("Authorization header is missing.")
-
-        if " " not in auth_header:
-            raise Unauthorized("Invalid Authorization header format. Expected 'Bearer <api-key>' format.")
-
-        auth_scheme, tk = auth_header.split(None, 1)
-        auth_scheme = auth_scheme.lower()
-
-        if auth_scheme != "bearer":
-            raise Unauthorized("Invalid Authorization header format. Expected 'Bearer <api-key>' format.")
+        tk = extract_webapp_passport(app_code, request)
+        if not tk:
+            raise Unauthorized("App token is missing.")
        decoded = PassportService().verify(tk)
        app_code = decoded.get("app_code")
        app_id = decoded.get("app_id")
@@ -72,7 +67,8 @@ def decode_jwt_token():
        app_web_auth_enabled = False
        webapp_settings = None
        if system_features.webapp_auth.enabled:
-            webapp_settings = EnterpriseService.WebAppAuth.get_app_access_mode_by_code(app_code=app_code)
+            app_id = AppService.get_app_id_by_code(app_code)
+            webapp_settings = EnterpriseService.WebAppAuth.get_app_access_mode_by_id(app_id)
            if not webapp_settings:
                raise NotFound("Web app settings not found.")
            app_web_auth_enabled = webapp_settings.access_mode != "public"
@@ -87,8 +83,9 @@ def decode_jwt_token():
        if system_features.webapp_auth.enabled:
            if not app_code:
                raise Unauthorized("Please re-login to access the web app.")
+            app_id = AppService.get_app_id_by_code(app_code)
            app_web_auth_enabled = (
-                EnterpriseService.WebAppAuth.get_app_access_mode_by_code(app_code=str(app_code)).access_mode != "public"
+                EnterpriseService.WebAppAuth.get_app_access_mode_by_id(app_id=app_id).access_mode != "public"
            )
            if app_web_auth_enabled:
                raise WebAppAuthRequiredError()
@@ -129,7 +126,8 @@ def _validate_user_accessibility(
            raise WebAppAuthRequiredError("Web app settings not found.")

        if WebAppAuthService.is_app_require_permission_check(access_mode=webapp_settings.access_mode):
-            if not EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(user_id, app_code=app_code):
+            app_id = AppService.get_app_id_by_code(app_code)
+            if not EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(user_id, app_id):
                raise WebAppAuthAccessDeniedError()

        auth_type = decoded.get("auth_type")