9a5f214623
Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Signed-off-by: lyzno1 <yuanyouhuilyz@gmail.com> Signed-off-by: kenwoodjw <blackxin55+@gmail.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Yunlu Wen <wylswz@163.com> Co-authored-by: Joel <iamjoel007@gmail.com> Co-authored-by: GareArc <chen4851@purdue.edu> Co-authored-by: NFish <douxc512@gmail.com> Co-authored-by: Davide Delbianco <davide.delbianco@outlook.com> Co-authored-by: minglu7 <1347866672@qq.com> Co-authored-by: Ponder <ruan.lj@foxmail.com> Co-authored-by: crazywoola <100913391+crazywoola@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: heyszt <270985384@qq.com> Co-authored-by: Asuka Minato <i@asukaminato.eu.org> Co-authored-by: Guangdong Liu <liugddx@gmail.com> Co-authored-by: Eric Guo <eric.guocz@gmail.com> Co-authored-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Co-authored-by: XlKsyt <caixuesen@outlook.com> Co-authored-by: Dhruv Gorasiya <80987415+DhruvGorasiya@users.noreply.github.com> Co-authored-by: crazywoola <427733928@qq.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: lyzno1 <92089059+lyzno1@users.noreply.github.com> Co-authored-by: hj24 <mambahj24@gmail.com> Co-authored-by: GuanMu <ballmanjq@gmail.com> Co-authored-by: 非法操作 <hjlarry@163.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Tonlo <123lzs123@gmail.com> Co-authored-by: Yusuke Yamada <yamachu.dev@gmail.com> Co-authored-by: Novice <novice12185727@gmail.com> Co-authored-by: kenwoodjw <blackxin55+@gmail.com> Co-authored-by: Ademílson Tonato <ademilsonft@outlook.com> Co-authored-by: znn <jubinkumarsoni@gmail.com> Co-authored-by: yangzheli <43645580+yangzheli@users.noreply.github.com>
214 lines
7.2 KiB
Python
214 lines
7.2 KiB
Python
from flask import make_response, request
|
|
from flask_restx import Resource, reqparse
|
|
from jwt import InvalidTokenError
|
|
|
|
import services
|
|
from configs import dify_config
|
|
from controllers.console.auth.error import (
|
|
AuthenticationFailedError,
|
|
EmailCodeError,
|
|
InvalidEmailError,
|
|
)
|
|
from controllers.console.error import AccountBannedError
|
|
from controllers.console.wraps import only_edition_enterprise, setup_required
|
|
from controllers.web import web_ns
|
|
from controllers.web.wraps import decode_jwt_token
|
|
from libs.helper import email
|
|
from libs.passport import PassportService
|
|
from libs.password import valid_password
|
|
from libs.token import (
|
|
clear_access_token_from_cookie,
|
|
extract_access_token,
|
|
)
|
|
from services.account_service import AccountService
|
|
from services.app_service import AppService
|
|
from services.webapp_auth_service import WebAppAuthService
|
|
|
|
|
|
@web_ns.route("/login")
|
|
class LoginApi(Resource):
|
|
"""Resource for web app email/password login."""
|
|
|
|
@setup_required
|
|
@only_edition_enterprise
|
|
@web_ns.doc("web_app_login")
|
|
@web_ns.doc(description="Authenticate user for web application access")
|
|
@web_ns.doc(
|
|
responses={
|
|
200: "Authentication successful",
|
|
400: "Bad request - invalid email or password format",
|
|
401: "Authentication failed - email or password mismatch",
|
|
403: "Account banned or login disabled",
|
|
404: "Account not found",
|
|
}
|
|
)
|
|
def post(self):
|
|
"""Authenticate user and login."""
|
|
parser = (
|
|
reqparse.RequestParser()
|
|
.add_argument("email", type=email, required=True, location="json")
|
|
.add_argument("password", type=valid_password, required=True, location="json")
|
|
)
|
|
args = parser.parse_args()
|
|
|
|
try:
|
|
account = WebAppAuthService.authenticate(args["email"], args["password"])
|
|
except services.errors.account.AccountLoginError:
|
|
raise AccountBannedError()
|
|
except services.errors.account.AccountPasswordError:
|
|
raise AuthenticationFailedError()
|
|
except services.errors.account.AccountNotFoundError:
|
|
raise AuthenticationFailedError()
|
|
|
|
token = WebAppAuthService.login(account=account)
|
|
response = make_response({"result": "success", "data": {"access_token": token}})
|
|
# set_access_token_to_cookie(request, response, token, samesite="None", httponly=False)
|
|
return response
|
|
|
|
|
|
# this api helps frontend to check whether user is authenticated
|
|
# TODO: remove in the future. frontend should redirect to login page by catching 401 status
|
|
@web_ns.route("/login/status")
|
|
class LoginStatusApi(Resource):
|
|
@setup_required
|
|
@web_ns.doc("web_app_login_status")
|
|
@web_ns.doc(description="Check login status")
|
|
@web_ns.doc(
|
|
responses={
|
|
200: "Login status",
|
|
401: "Login status",
|
|
}
|
|
)
|
|
def get(self):
|
|
app_code = request.args.get("app_code")
|
|
token = extract_access_token(request)
|
|
if not app_code:
|
|
return {
|
|
"logged_in": bool(token),
|
|
"app_logged_in": False,
|
|
}
|
|
app_id = AppService.get_app_id_by_code(app_code)
|
|
is_public = not dify_config.ENTERPRISE_ENABLED or not WebAppAuthService.is_app_require_permission_check(
|
|
app_id=app_id
|
|
)
|
|
user_logged_in = False
|
|
|
|
if is_public:
|
|
user_logged_in = True
|
|
else:
|
|
try:
|
|
PassportService().verify(token=token)
|
|
user_logged_in = True
|
|
except Exception:
|
|
user_logged_in = False
|
|
|
|
try:
|
|
_ = decode_jwt_token(app_code=app_code)
|
|
app_logged_in = True
|
|
except Exception:
|
|
app_logged_in = False
|
|
|
|
return {
|
|
"logged_in": user_logged_in,
|
|
"app_logged_in": app_logged_in,
|
|
}
|
|
|
|
|
|
@web_ns.route("/logout")
|
|
class LogoutApi(Resource):
|
|
@setup_required
|
|
@web_ns.doc("web_app_logout")
|
|
@web_ns.doc(description="Logout user from web application")
|
|
@web_ns.doc(
|
|
responses={
|
|
200: "Logout successful",
|
|
}
|
|
)
|
|
def post(self):
|
|
response = make_response({"result": "success"})
|
|
# enterprise SSO sets same site to None in https deployment
|
|
# so we need to logout by calling api
|
|
clear_access_token_from_cookie(response, samesite="None")
|
|
return response
|
|
|
|
|
|
@web_ns.route("/email-code-login")
|
|
class EmailCodeLoginSendEmailApi(Resource):
|
|
@setup_required
|
|
@only_edition_enterprise
|
|
@web_ns.doc("send_email_code_login")
|
|
@web_ns.doc(description="Send email verification code for login")
|
|
@web_ns.doc(
|
|
responses={
|
|
200: "Email code sent successfully",
|
|
400: "Bad request - invalid email format",
|
|
404: "Account not found",
|
|
}
|
|
)
|
|
def post(self):
|
|
parser = (
|
|
reqparse.RequestParser()
|
|
.add_argument("email", type=email, required=True, location="json")
|
|
.add_argument("language", type=str, required=False, location="json")
|
|
)
|
|
args = parser.parse_args()
|
|
|
|
if args["language"] is not None and args["language"] == "zh-Hans":
|
|
language = "zh-Hans"
|
|
else:
|
|
language = "en-US"
|
|
|
|
account = WebAppAuthService.get_user_through_email(args["email"])
|
|
if account is None:
|
|
raise AuthenticationFailedError()
|
|
else:
|
|
token = WebAppAuthService.send_email_code_login_email(account=account, language=language)
|
|
return {"result": "success", "data": token}
|
|
|
|
|
|
@web_ns.route("/email-code-login/validity")
|
|
class EmailCodeLoginApi(Resource):
|
|
@setup_required
|
|
@only_edition_enterprise
|
|
@web_ns.doc("verify_email_code_login")
|
|
@web_ns.doc(description="Verify email code and complete login")
|
|
@web_ns.doc(
|
|
responses={
|
|
200: "Email code verified and login successful",
|
|
400: "Bad request - invalid code or token",
|
|
401: "Invalid token or expired code",
|
|
404: "Account not found",
|
|
}
|
|
)
|
|
def post(self):
|
|
parser = (
|
|
reqparse.RequestParser()
|
|
.add_argument("email", type=str, required=True, location="json")
|
|
.add_argument("code", type=str, required=True, location="json")
|
|
.add_argument("token", type=str, required=True, location="json")
|
|
)
|
|
args = parser.parse_args()
|
|
|
|
user_email = args["email"]
|
|
|
|
token_data = WebAppAuthService.get_email_code_login_data(args["token"])
|
|
if token_data is None:
|
|
raise InvalidTokenError()
|
|
|
|
if token_data["email"] != args["email"]:
|
|
raise InvalidEmailError()
|
|
|
|
if token_data["code"] != args["code"]:
|
|
raise EmailCodeError()
|
|
|
|
WebAppAuthService.revoke_email_code_login_token(args["token"])
|
|
account = WebAppAuthService.get_user_through_email(user_email)
|
|
if not account:
|
|
raise AuthenticationFailedError()
|
|
|
|
token = WebAppAuthService.login(account=account)
|
|
AccountService.reset_login_error_rate_limit(args["email"])
|
|
response = make_response({"result": "success", "data": {"access_token": token}})
|
|
# set_access_token_to_cookie(request, response, token, samesite="None", httponly=False)
|
|
return response
|