From 860ee20c71cace6ccf733af475493cc33181d633 Mon Sep 17 00:00:00 2001
From: zyssyz123 <916125788@qq.com>
Date: Mon, 8 Sep 2025 17:51:43 +0800
Subject: [PATCH] feat: email register refactor (#25344)
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: crazywoola <100913391+crazywoola@users.noreply.github.com>
---
api/.env.example | 1 +
api/configs/feature/__init__.py | 11 ++
api/controllers/console/__init__.py | 11 +-
.../console/auth/email_register.py | 154 ++++++++++++++++++
api/controllers/console/auth/error.py | 12 ++
.../console/auth/forgot_password.py | 39 +----
api/controllers/console/auth/login.py | 28 +---
api/controllers/console/wraps.py | 13 ++
api/libs/email_i18n.py | 52 ++++++
api/services/account_service.py | 111 ++++++++++++-
api/tasks/mail_register_task.py | 86 ++++++++++
api/tasks/mail_reset_password_task.py | 45 +++++
.../register_email_template_en-US.html | 87 ++++++++++
.../register_email_template_zh-CN.html | 87 ++++++++++
...ail_when_account_exist_template_en-US.html | 94 +++++++++++
...ail_when_account_exist_template_zh-CN.html | 95 +++++++++++
..._not_exist_no_register_template_en-US.html | 85 ++++++++++
..._not_exist_no_register_template_zh-CN.html | 84 ++++++++++
...when_account_not_exist_template_en-US.html | 89 ++++++++++
...when_account_not_exist_template_zh-CN.html | 89 ++++++++++
.../register_email_template_en-US.html | 83 ++++++++++
.../register_email_template_zh-CN.html | 83 ++++++++++
...ail_when_account_exist_template_en-US.html | 90 ++++++++++
...ail_when_account_exist_template_zh-CN.html | 91 +++++++++++
..._not_exist_no_register_template_en-US.html | 81 +++++++++
..._not_exist_no_register_template_zh-CN.html | 81 +++++++++
...when_account_not_exist_template_en-US.html | 85 ++++++++++
...when_account_not_exist_template_zh-CN.html | 85 ++++++++++
api/tests/integration_tests/.env.example | 1 +
.../services/test_account_service.py | 3 +-
.../auth/test_authentication_security.py | 34 ++--
.../services/test_account_service.py | 3 +-
docker/.env.example | 1 +
docker/docker-compose.yaml | 1 +
34 files changed, 1916 insertions(+), 79 deletions(-)
create mode 100644 api/controllers/console/auth/email_register.py
create mode 100644 api/tasks/mail_register_task.py
create mode 100644 api/templates/register_email_template_en-US.html
create mode 100644 api/templates/register_email_template_zh-CN.html
create mode 100644 api/templates/register_email_when_account_exist_template_en-US.html
create mode 100644 api/templates/register_email_when_account_exist_template_zh-CN.html
create mode 100644 api/templates/reset_password_mail_when_account_not_exist_no_register_template_en-US.html
create mode 100644 api/templates/reset_password_mail_when_account_not_exist_no_register_template_zh-CN.html
create mode 100644 api/templates/reset_password_mail_when_account_not_exist_template_en-US.html
create mode 100644 api/templates/reset_password_mail_when_account_not_exist_template_zh-CN.html
create mode 100644 api/templates/without-brand/register_email_template_en-US.html
create mode 100644 api/templates/without-brand/register_email_template_zh-CN.html
create mode 100644 api/templates/without-brand/register_email_when_account_exist_template_en-US.html
create mode 100644 api/templates/without-brand/register_email_when_account_exist_template_zh-CN.html
create mode 100644 api/templates/without-brand/reset_password_mail_when_account_not_exist_no_register_template_en-US.html
create mode 100644 api/templates/without-brand/reset_password_mail_when_account_not_exist_no_register_template_zh-CN.html
create mode 100644 api/templates/without-brand/reset_password_mail_when_account_not_exist_template_en-US.html
create mode 100644 api/templates/without-brand/reset_password_mail_when_account_not_exist_template_zh-CN.html
diff --git a/api/.env.example b/api/.env.example
index eb88c114e6..76f4c505f5 100644
--- a/api/.env.example
+++ b/api/.env.example
@@ -530,6 +530,7 @@ ENDPOINT_URL_TEMPLATE=http://localhost:5002/e/{hook_id}
# Reset password token expiry minutes
RESET_PASSWORD_TOKEN_EXPIRY_MINUTES=5
+EMAIL_REGISTER_TOKEN_EXPIRY_MINUTES=5
CHANGE_EMAIL_TOKEN_EXPIRY_MINUTES=5
OWNER_TRANSFER_TOKEN_EXPIRY_MINUTES=5
diff --git a/api/configs/feature/__init__.py b/api/configs/feature/__init__.py
index 7638cd1899..d6dc9710fb 100644
--- a/api/configs/feature/__init__.py
+++ b/api/configs/feature/__init__.py
@@ -31,6 +31,12 @@ class SecurityConfig(BaseSettings):
description="Duration in minutes for which a password reset token remains valid",
default=5,
)
+
+ EMAIL_REGISTER_TOKEN_EXPIRY_MINUTES: PositiveInt = Field(
+ description="Duration in minutes for which a email register token remains valid",
+ default=5,
+ )
+
CHANGE_EMAIL_TOKEN_EXPIRY_MINUTES: PositiveInt = Field(
description="Duration in minutes for which a change email token remains valid",
default=5,
@@ -639,6 +645,11 @@ class AuthConfig(BaseSettings):
default=86400,
)
+ EMAIL_REGISTER_LOCKOUT_DURATION: PositiveInt = Field(
+ description="Time (in seconds) a user must wait before retrying email register after exceeding the rate limit.",
+ default=86400,
+ )
+
class ModerationConfig(BaseSettings):
"""
diff --git a/api/controllers/console/__init__.py b/api/controllers/console/__init__.py
index 5ad7645969..9634f3ca17 100644
--- a/api/controllers/console/__init__.py
+++ b/api/controllers/console/__init__.py
@@ -70,7 +70,16 @@ from .app import (
)
# Import auth controllers
-from .auth import activate, data_source_bearer_auth, data_source_oauth, forgot_password, login, oauth, oauth_server
+from .auth import (
+ activate,
+ data_source_bearer_auth,
+ data_source_oauth,
+ email_register,
+ forgot_password,
+ login,
+ oauth,
+ oauth_server,
+)
# Import billing controllers
from .billing import billing, compliance
diff --git a/api/controllers/console/auth/email_register.py b/api/controllers/console/auth/email_register.py
new file mode 100644
index 0000000000..458e70c8de
--- /dev/null
+++ b/api/controllers/console/auth/email_register.py
@@ -0,0 +1,154 @@
+from flask import request
+from flask_restx import Resource, reqparse
+from sqlalchemy import select
+from sqlalchemy.orm import Session
+
+from constants.languages import languages
+from controllers.console import api
+from controllers.console.auth.error import (
+ EmailAlreadyInUseError,
+ EmailCodeError,
+ EmailRegisterLimitError,
+ InvalidEmailError,
+ InvalidTokenError,
+ PasswordMismatchError,
+)
+from controllers.console.error import AccountInFreezeError, EmailSendIpLimitError
+from controllers.console.wraps import email_password_login_enabled, email_register_enabled, setup_required
+from extensions.ext_database import db
+from libs.helper import email, extract_remote_ip
+from libs.password import valid_password
+from models.account import Account
+from services.account_service import AccountService
+from services.errors.account import AccountRegisterError
+from services.errors.workspace import WorkSpaceNotAllowedCreateError, WorkspacesLimitExceededError
+
+
+class EmailRegisterSendEmailApi(Resource):
+ @setup_required
+ @email_password_login_enabled
+ @email_register_enabled
+ def post(self):
+ parser = reqparse.RequestParser()
+ parser.add_argument("email", type=email, required=True, location="json")
+ parser.add_argument("language", type=str, required=False, location="json")
+ args = parser.parse_args()
+
+ ip_address = extract_remote_ip(request)
+ if AccountService.is_email_send_ip_limit(ip_address):
+ raise EmailSendIpLimitError()
+
+ if args["language"] is not None and args["language"] == "zh-Hans":
+ language = "zh-Hans"
+ else:
+ language = "en-US"
+
+ with Session(db.engine) as session:
+ account = session.execute(select(Account).filter_by(email=args["email"])).scalar_one_or_none()
+ token = None
+ token = AccountService.send_email_register_email(email=args["email"], account=account, language=language)
+ return {"result": "success", "data": token}
+
+
+class EmailRegisterCheckApi(Resource):
+ @setup_required
+ @email_password_login_enabled
+ @email_register_enabled
+ def post(self):
+ parser = reqparse.RequestParser()
+ parser.add_argument("email", type=str, required=True, location="json")
+ parser.add_argument("code", type=str, required=True, location="json")
+ parser.add_argument("token", type=str, required=True, nullable=False, location="json")
+ args = parser.parse_args()
+
+ user_email = args["email"]
+
+ is_email_register_error_rate_limit = AccountService.is_email_register_error_rate_limit(args["email"])
+ if is_email_register_error_rate_limit:
+ raise EmailRegisterLimitError()
+
+ token_data = AccountService.get_email_register_data(args["token"])
+ if token_data is None:
+ raise InvalidTokenError()
+
+ if user_email != token_data.get("email"):
+ raise InvalidEmailError()
+
+ if args["code"] != token_data.get("code"):
+ AccountService.add_email_register_error_rate_limit(args["email"])
+ raise EmailCodeError()
+
+ # Verified, revoke the first token
+ AccountService.revoke_email_register_token(args["token"])
+
+ # Refresh token data by generating a new token
+ _, new_token = AccountService.generate_email_register_token(
+ user_email, code=args["code"], additional_data={"phase": "register"}
+ )
+
+ AccountService.reset_email_register_error_rate_limit(args["email"])
+ return {"is_valid": True, "email": token_data.get("email"), "token": new_token}
+
+
+class EmailRegisterResetApi(Resource):
+ @setup_required
+ @email_password_login_enabled
+ @email_register_enabled
+ def post(self):
+ parser = reqparse.RequestParser()
+ parser.add_argument("token", type=str, required=True, nullable=False, location="json")
+ parser.add_argument("new_password", type=valid_password, required=True, nullable=False, location="json")
+ parser.add_argument("password_confirm", type=valid_password, required=True, nullable=False, location="json")
+ args = parser.parse_args()
+
+ # Validate passwords match
+ if args["new_password"] != args["password_confirm"]:
+ raise PasswordMismatchError()
+
+ # Validate token and get register data
+ register_data = AccountService.get_email_register_data(args["token"])
+ if not register_data:
+ raise InvalidTokenError()
+ # Must use token in reset phase
+ if register_data.get("phase", "") != "register":
+ raise InvalidTokenError()
+
+ # Revoke token to prevent reuse
+ AccountService.revoke_email_register_token(args["token"])
+
+ email = register_data.get("email", "")
+
+ with Session(db.engine) as session:
+ account = session.execute(select(Account).filter_by(email=email)).scalar_one_or_none()
+
+ if account:
+ raise EmailAlreadyInUseError()
+ else:
+ account = self._create_new_account(email, args["password_confirm"])
+ token_pair = AccountService.login(account=account, ip_address=extract_remote_ip(request))
+ AccountService.reset_login_error_rate_limit(email)
+
+ return {"result": "success", "data": token_pair.model_dump()}
+
+ def _create_new_account(self, email, password):
+ # Create new account if allowed
+ try:
+ account = AccountService.create_account_and_tenant(
+ email=email,
+ name=email,
+ password=password,
+ interface_language=languages[0],
+ )
+ except WorkSpaceNotAllowedCreateError:
+ pass
+ except WorkspacesLimitExceededError:
+ pass
+ except AccountRegisterError:
+ raise AccountInFreezeError()
+
+ return account
+
+
+api.add_resource(EmailRegisterSendEmailApi, "/email-register/send-email")
+api.add_resource(EmailRegisterCheckApi, "/email-register/validity")
+api.add_resource(EmailRegisterResetApi, "/email-register")
diff --git a/api/controllers/console/auth/error.py b/api/controllers/console/auth/error.py
index 7853bef917..9cda8c90b1 100644
--- a/api/controllers/console/auth/error.py
+++ b/api/controllers/console/auth/error.py
@@ -31,6 +31,12 @@ class PasswordResetRateLimitExceededError(BaseHTTPException):
code = 429
+class EmailRegisterRateLimitExceededError(BaseHTTPException):
+ error_code = "email_register_rate_limit_exceeded"
+ description = "Too many email register emails have been sent. Please try again in 1 minute."
+ code = 429
+
+
class EmailChangeRateLimitExceededError(BaseHTTPException):
error_code = "email_change_rate_limit_exceeded"
description = "Too many email change emails have been sent. Please try again in 1 minute."
@@ -85,6 +91,12 @@ class EmailPasswordResetLimitError(BaseHTTPException):
code = 429
+class EmailRegisterLimitError(BaseHTTPException):
+ error_code = "email_register_limit"
+ description = "Too many failed email register attempts. Please try again in 24 hours."
+ code = 429
+
+
class EmailChangeLimitError(BaseHTTPException):
error_code = "email_change_limit"
description = "Too many failed email change attempts. Please try again in 24 hours."
diff --git a/api/controllers/console/auth/forgot_password.py b/api/controllers/console/auth/forgot_password.py
index ede0696854..d7558e0f67 100644
--- a/api/controllers/console/auth/forgot_password.py
+++ b/api/controllers/console/auth/forgot_password.py
@@ -6,7 +6,6 @@ from flask_restx import Resource, reqparse
from sqlalchemy import select
from sqlalchemy.orm import Session
-from constants.languages import languages
from controllers.console import api
from controllers.console.auth.error import (
EmailCodeError,
@@ -15,7 +14,7 @@ from controllers.console.auth.error import (
InvalidTokenError,
PasswordMismatchError,
)
-from controllers.console.error import AccountInFreezeError, AccountNotFound, EmailSendIpLimitError
+from controllers.console.error import AccountNotFound, EmailSendIpLimitError
from controllers.console.wraps import email_password_login_enabled, setup_required
from events.tenant_event import tenant_was_created
from extensions.ext_database import db
@@ -23,8 +22,6 @@ from libs.helper import email, extract_remote_ip
from libs.password import hash_password, valid_password
from models.account import Account
from services.account_service import AccountService, TenantService
-from services.errors.account import AccountRegisterError
-from services.errors.workspace import WorkSpaceNotAllowedCreateError, WorkspacesLimitExceededError
from services.feature_service import FeatureService
@@ -48,15 +45,13 @@ class ForgotPasswordSendEmailApi(Resource):
with Session(db.engine) as session:
account = session.execute(select(Account).filter_by(email=args["email"])).scalar_one_or_none()
- token = None
- if account is None:
- if FeatureService.get_system_features().is_allow_register:
- token = AccountService.send_reset_password_email(email=args["email"], language=language)
- return {"result": "fail", "data": token, "code": "account_not_found"}
- else:
- raise AccountNotFound()
- else:
- token = AccountService.send_reset_password_email(account=account, email=args["email"], language=language)
+
+ token = AccountService.send_reset_password_email(
+ account=account,
+ email=args["email"],
+ language=language,
+ is_allow_register=FeatureService.get_system_features().is_allow_register,
+ )
return {"result": "success", "data": token}
@@ -137,7 +132,7 @@ class ForgotPasswordResetApi(Resource):
if account:
self._update_existing_account(account, password_hashed, salt, session)
else:
- self._create_new_account(email, args["password_confirm"])
+ raise AccountNotFound()
return {"result": "success"}
@@ -157,22 +152,6 @@ class ForgotPasswordResetApi(Resource):
account.current_tenant = tenant
tenant_was_created.send(tenant)
- def _create_new_account(self, email, password):
- # Create new account if allowed
- try:
- AccountService.create_account_and_tenant(
- email=email,
- name=email,
- password=password,
- interface_language=languages[0],
- )
- except WorkSpaceNotAllowedCreateError:
- pass
- except WorkspacesLimitExceededError:
- pass
- except AccountRegisterError:
- raise AccountInFreezeError()
-
api.add_resource(ForgotPasswordSendEmailApi, "/forgot-password")
api.add_resource(ForgotPasswordCheckApi, "/forgot-password/validity")
diff --git a/api/controllers/console/auth/login.py b/api/controllers/console/auth/login.py
index b11bc0c6ac..3b35ab3c23 100644
--- a/api/controllers/console/auth/login.py
+++ b/api/controllers/console/auth/login.py
@@ -26,7 +26,6 @@ from controllers.console.error import (
from controllers.console.wraps import email_password_login_enabled, setup_required
from events.tenant_event import tenant_was_created
from libs.helper import email, extract_remote_ip
-from libs.password import valid_password
from models.account import Account
from services.account_service import AccountService, RegisterService, TenantService
from services.billing_service import BillingService
@@ -44,10 +43,9 @@ class LoginApi(Resource):
"""Authenticate user and login."""
parser = reqparse.RequestParser()
parser.add_argument("email", type=email, required=True, location="json")
- parser.add_argument("password", type=valid_password, required=True, location="json")
+ parser.add_argument("password", type=str, required=True, location="json")
parser.add_argument("remember_me", type=bool, required=False, default=False, location="json")
parser.add_argument("invite_token", type=str, required=False, default=None, location="json")
- parser.add_argument("language", type=str, required=False, default="en-US", location="json")
args = parser.parse_args()
if dify_config.BILLING_ENABLED and BillingService.is_email_in_freeze(args["email"]):
@@ -61,11 +59,6 @@ class LoginApi(Resource):
if invitation:
invitation = RegisterService.get_invitation_if_token_valid(None, args["email"], invitation)
- if args["language"] is not None and args["language"] == "zh-Hans":
- language = "zh-Hans"
- else:
- language = "en-US"
-
try:
if invitation:
data = invitation.get("data", {})
@@ -80,12 +73,6 @@ class LoginApi(Resource):
except services.errors.account.AccountPasswordError:
AccountService.add_login_error_rate_limit(args["email"])
raise AuthenticationFailedError()
- except services.errors.account.AccountNotFoundError:
- if FeatureService.get_system_features().is_allow_register:
- token = AccountService.send_reset_password_email(email=args["email"], language=language)
- return {"result": "fail", "data": token, "code": "account_not_found"}
- else:
- raise AccountNotFound()
# SELF_HOSTED only have one workspace
tenants = TenantService.get_join_tenants(account)
if len(tenants) == 0:
@@ -133,13 +120,12 @@ class ResetPasswordSendEmailApi(Resource):
except AccountRegisterError:
raise AccountInFreezeError()
- if account is None:
- if FeatureService.get_system_features().is_allow_register:
- token = AccountService.send_reset_password_email(email=args["email"], language=language)
- else:
- raise AccountNotFound()
- else:
- token = AccountService.send_reset_password_email(account=account, language=language)
+ token = AccountService.send_reset_password_email(
+ email=args["email"],
+ account=account,
+ language=language,
+ is_allow_register=FeatureService.get_system_features().is_allow_register,
+ )
return {"result": "success", "data": token}
diff --git a/api/controllers/console/wraps.py b/api/controllers/console/wraps.py
index e375fe285b..092071481e 100644
--- a/api/controllers/console/wraps.py
+++ b/api/controllers/console/wraps.py
@@ -242,6 +242,19 @@ def email_password_login_enabled(view: Callable[P, R]):
return decorated
+def email_register_enabled(view):
+ @wraps(view)
+ def decorated(*args, **kwargs):
+ features = FeatureService.get_system_features()
+ if features.is_allow_register:
+ return view(*args, **kwargs)
+
+ # otherwise, return 403
+ abort(403)
+
+ return decorated
+
+
def enable_change_email(view: Callable[P, R]):
@wraps(view)
def decorated(*args: P.args, **kwargs: P.kwargs):
diff --git a/api/libs/email_i18n.py b/api/libs/email_i18n.py
index 3c039dff53..9dde87d800 100644
--- a/api/libs/email_i18n.py
+++ b/api/libs/email_i18n.py
@@ -21,6 +21,7 @@ class EmailType(Enum):
"""Enumeration of supported email types."""
RESET_PASSWORD = "reset_password"
+ RESET_PASSWORD_WHEN_ACCOUNT_NOT_EXIST = "reset_password_when_account_not_exist"
INVITE_MEMBER = "invite_member"
EMAIL_CODE_LOGIN = "email_code_login"
CHANGE_EMAIL_OLD = "change_email_old"
@@ -34,6 +35,9 @@ class EmailType(Enum):
ENTERPRISE_CUSTOM = "enterprise_custom"
QUEUE_MONITOR_ALERT = "queue_monitor_alert"
DOCUMENT_CLEAN_NOTIFY = "document_clean_notify"
+ EMAIL_REGISTER = "email_register"
+ EMAIL_REGISTER_WHEN_ACCOUNT_EXIST = "email_register_when_account_exist"
+ RESET_PASSWORD_WHEN_ACCOUNT_NOT_EXIST_NO_REGISTER = "reset_password_when_account_not_exist_no_register"
class EmailLanguage(Enum):
@@ -441,6 +445,54 @@ def create_default_email_config() -> EmailI18nConfig:
branded_template_path="clean_document_job_mail_template_zh-CN.html",
),
},
+ EmailType.EMAIL_REGISTER: {
+ EmailLanguage.EN_US: EmailTemplate(
+ subject="Register Your {application_title} Account",
+ template_path="register_email_template_en-US.html",
+ branded_template_path="without-brand/register_email_template_en-US.html",
+ ),
+ EmailLanguage.ZH_HANS: EmailTemplate(
+ subject="注册您的 {application_title} 账户",
+ template_path="register_email_template_zh-CN.html",
+ branded_template_path="without-brand/register_email_template_zh-CN.html",
+ ),
+ },
+ EmailType.EMAIL_REGISTER_WHEN_ACCOUNT_EXIST: {
+ EmailLanguage.EN_US: EmailTemplate(
+ subject="Register Your {application_title} Account",
+ template_path="register_email_when_account_exist_template_en-US.html",
+ branded_template_path="without-brand/register_email_when_account_exist_template_en-US.html",
+ ),
+ EmailLanguage.ZH_HANS: EmailTemplate(
+ subject="注册您的 {application_title} 账户",
+ template_path="register_email_when_account_exist_template_zh-CN.html",
+ branded_template_path="without-brand/register_email_when_account_exist_template_zh-CN.html",
+ ),
+ },
+ EmailType.RESET_PASSWORD_WHEN_ACCOUNT_NOT_EXIST: {
+ EmailLanguage.EN_US: EmailTemplate(
+ subject="Reset Your {application_title} Password",
+ template_path="reset_password_mail_when_account_not_exist_template_en-US.html",
+ branded_template_path="without-brand/reset_password_mail_when_account_not_exist_template_en-US.html",
+ ),
+ EmailLanguage.ZH_HANS: EmailTemplate(
+ subject="重置您的 {application_title} 密码",
+ template_path="reset_password_mail_when_account_not_exist_template_zh-CN.html",
+ branded_template_path="without-brand/reset_password_mail_when_account_not_exist_template_zh-CN.html",
+ ),
+ },
+ EmailType.RESET_PASSWORD_WHEN_ACCOUNT_NOT_EXIST_NO_REGISTER: {
+ EmailLanguage.EN_US: EmailTemplate(
+ subject="Reset Your {application_title} Password",
+ template_path="reset_password_mail_when_account_not_exist_no_register_template_en-US.html",
+ branded_template_path="without-brand/reset_password_mail_when_account_not_exist_no_register_template_en-US.html",
+ ),
+ EmailLanguage.ZH_HANS: EmailTemplate(
+ subject="重置您的 {application_title} 密码",
+ template_path="reset_password_mail_when_account_not_exist_no_register_template_zh-CN.html",
+ branded_template_path="without-brand/reset_password_mail_when_account_not_exist_no_register_template_zh-CN.html",
+ ),
+ },
}
return EmailI18nConfig(templates=templates)
diff --git a/api/services/account_service.py b/api/services/account_service.py
index a76792f88e..8438423f2e 100644
--- a/api/services/account_service.py
+++ b/api/services/account_service.py
@@ -37,7 +37,6 @@ from services.billing_service import BillingService
from services.errors.account import (
AccountAlreadyInTenantError,
AccountLoginError,
- AccountNotFoundError,
AccountNotLinkTenantError,
AccountPasswordError,
AccountRegisterError,
@@ -65,7 +64,11 @@ from tasks.mail_owner_transfer_task import (
send_old_owner_transfer_notify_email_task,
send_owner_transfer_confirm_task,
)
-from tasks.mail_reset_password_task import send_reset_password_mail_task
+from tasks.mail_register_task import send_email_register_mail_task, send_email_register_mail_task_when_account_exist
+from tasks.mail_reset_password_task import (
+ send_reset_password_mail_task,
+ send_reset_password_mail_task_when_account_not_exist,
+)
logger = logging.getLogger(__name__)
@@ -82,6 +85,7 @@ REFRESH_TOKEN_EXPIRY = timedelta(days=dify_config.REFRESH_TOKEN_EXPIRE_DAYS)
class AccountService:
reset_password_rate_limiter = RateLimiter(prefix="reset_password_rate_limit", max_attempts=1, time_window=60 * 1)
+ email_register_rate_limiter = RateLimiter(prefix="email_register_rate_limit", max_attempts=1, time_window=60 * 1)
email_code_login_rate_limiter = RateLimiter(
prefix="email_code_login_rate_limit", max_attempts=1, time_window=60 * 1
)
@@ -95,6 +99,7 @@ class AccountService:
FORGOT_PASSWORD_MAX_ERROR_LIMITS = 5
CHANGE_EMAIL_MAX_ERROR_LIMITS = 5
OWNER_TRANSFER_MAX_ERROR_LIMITS = 5
+ EMAIL_REGISTER_MAX_ERROR_LIMITS = 5
@staticmethod
def _get_refresh_token_key(refresh_token: str) -> str:
@@ -171,7 +176,7 @@ class AccountService:
account = db.session.query(Account).filter_by(email=email).first()
if not account:
- raise AccountNotFoundError()
+ raise AccountPasswordError("Invalid email or password.")
if account.status == AccountStatus.BANNED.value:
raise AccountLoginError("Account is banned.")
@@ -433,6 +438,7 @@ class AccountService:
account: Optional[Account] = None,
email: Optional[str] = None,
language: str = "en-US",
+ is_allow_register: bool = False,
):
account_email = account.email if account else email
if account_email is None:
@@ -445,14 +451,54 @@ class AccountService:
code, token = cls.generate_reset_password_token(account_email, account)
- send_reset_password_mail_task.delay(
- language=language,
- to=account_email,
- code=code,
- )
+ if account:
+ send_reset_password_mail_task.delay(
+ language=language,
+ to=account_email,
+ code=code,
+ )
+ else:
+ send_reset_password_mail_task_when_account_not_exist.delay(
+ language=language,
+ to=account_email,
+ is_allow_register=is_allow_register,
+ )
cls.reset_password_rate_limiter.increment_rate_limit(account_email)
return token
+ @classmethod
+ def send_email_register_email(
+ cls,
+ account: Optional[Account] = None,
+ email: Optional[str] = None,
+ language: str = "en-US",
+ ):
+ account_email = account.email if account else email
+ if account_email is None:
+ raise ValueError("Email must be provided.")
+
+ if cls.email_register_rate_limiter.is_rate_limited(account_email):
+ from controllers.console.auth.error import EmailRegisterRateLimitExceededError
+
+ raise EmailRegisterRateLimitExceededError()
+
+ code, token = cls.generate_email_register_token(account_email)
+
+ if account:
+ send_email_register_mail_task_when_account_exist.delay(
+ language=language,
+ to=account_email,
+ )
+
+ else:
+ send_email_register_mail_task.delay(
+ language=language,
+ to=account_email,
+ code=code,
+ )
+ cls.email_register_rate_limiter.increment_rate_limit(account_email)
+ return token
+
@classmethod
def send_change_email_email(
cls,
@@ -585,6 +631,19 @@ class AccountService:
)
return code, token
+ @classmethod
+ def generate_email_register_token(
+ cls,
+ email: str,
+ code: Optional[str] = None,
+ additional_data: dict[str, Any] = {},
+ ):
+ if not code:
+ code = "".join([str(secrets.randbelow(exclusive_upper_bound=10)) for _ in range(6)])
+ additional_data["code"] = code
+ token = TokenManager.generate_token(email=email, token_type="email_register", additional_data=additional_data)
+ return code, token
+
@classmethod
def generate_change_email_token(
cls,
@@ -623,6 +682,10 @@ class AccountService:
def revoke_reset_password_token(cls, token: str):
TokenManager.revoke_token(token, "reset_password")
+ @classmethod
+ def revoke_email_register_token(cls, token: str):
+ TokenManager.revoke_token(token, "email_register")
+
@classmethod
def revoke_change_email_token(cls, token: str):
TokenManager.revoke_token(token, "change_email")
@@ -635,6 +698,10 @@ class AccountService:
def get_reset_password_data(cls, token: str) -> Optional[dict[str, Any]]:
return TokenManager.get_token_data(token, "reset_password")
+ @classmethod
+ def get_email_register_data(cls, token: str) -> Optional[dict[str, Any]]:
+ return TokenManager.get_token_data(token, "email_register")
+
@classmethod
def get_change_email_data(cls, token: str) -> Optional[dict[str, Any]]:
return TokenManager.get_token_data(token, "change_email")
@@ -742,6 +809,16 @@ class AccountService:
count = int(count) + 1
redis_client.setex(key, dify_config.FORGOT_PASSWORD_LOCKOUT_DURATION, count)
+ @staticmethod
+ @redis_fallback(default_return=None)
+ def add_email_register_error_rate_limit(email: str) -> None:
+ key = f"email_register_error_rate_limit:{email}"
+ count = redis_client.get(key)
+ if count is None:
+ count = 0
+ count = int(count) + 1
+ redis_client.setex(key, dify_config.EMAIL_REGISTER_LOCKOUT_DURATION, count)
+
@staticmethod
@redis_fallback(default_return=False)
def is_forgot_password_error_rate_limit(email: str) -> bool:
@@ -761,6 +838,24 @@ class AccountService:
key = f"forgot_password_error_rate_limit:{email}"
redis_client.delete(key)
+ @staticmethod
+ @redis_fallback(default_return=False)
+ def is_email_register_error_rate_limit(email: str) -> bool:
+ key = f"email_register_error_rate_limit:{email}"
+ count = redis_client.get(key)
+ if count is None:
+ return False
+ count = int(count)
+ if count > AccountService.EMAIL_REGISTER_MAX_ERROR_LIMITS:
+ return True
+ return False
+
+ @staticmethod
+ @redis_fallback(default_return=None)
+ def reset_email_register_error_rate_limit(email: str):
+ key = f"email_register_error_rate_limit:{email}"
+ redis_client.delete(key)
+
@staticmethod
@redis_fallback(default_return=None)
def add_change_email_error_rate_limit(email: str):
diff --git a/api/tasks/mail_register_task.py b/api/tasks/mail_register_task.py
new file mode 100644
index 0000000000..acf2852649
--- /dev/null
+++ b/api/tasks/mail_register_task.py
@@ -0,0 +1,86 @@
+import logging
+import time
+
+import click
+from celery import shared_task
+
+from configs import dify_config
+from extensions.ext_mail import mail
+from libs.email_i18n import EmailType, get_email_i18n_service
+
+logger = logging.getLogger(__name__)
+
+
+@shared_task(queue="mail")
+def send_email_register_mail_task(language: str, to: str, code: str) -> None:
+ """
+ Send email register email with internationalization support.
+
+ Args:
+ language: Language code for email localization
+ to: Recipient email address
+ code: Email register code
+ """
+ if not mail.is_inited():
+ return
+
+ logger.info(click.style(f"Start email register mail to {to}", fg="green"))
+ start_at = time.perf_counter()
+
+ try:
+ email_service = get_email_i18n_service()
+ email_service.send_email(
+ email_type=EmailType.EMAIL_REGISTER,
+ language_code=language,
+ to=to,
+ template_context={
+ "to": to,
+ "code": code,
+ },
+ )
+
+ end_at = time.perf_counter()
+ logger.info(
+ click.style(f"Send email register mail to {to} succeeded: latency: {end_at - start_at}", fg="green")
+ )
+ except Exception:
+ logger.exception("Send email register mail to %s failed", to)
+
+
+@shared_task(queue="mail")
+def send_email_register_mail_task_when_account_exist(language: str, to: str) -> None:
+ """
+ Send email register email with internationalization support when account exist.
+
+ Args:
+ language: Language code for email localization
+ to: Recipient email address
+ """
+ if not mail.is_inited():
+ return
+
+ logger.info(click.style(f"Start email register mail to {to}", fg="green"))
+ start_at = time.perf_counter()
+
+ try:
+ login_url = f"{dify_config.CONSOLE_WEB_URL}/signin"
+ reset_password_url = f"{dify_config.CONSOLE_WEB_URL}/reset-password"
+
+ email_service = get_email_i18n_service()
+ email_service.send_email(
+ email_type=EmailType.EMAIL_REGISTER_WHEN_ACCOUNT_EXIST,
+ language_code=language,
+ to=to,
+ template_context={
+ "to": to,
+ "login_url": login_url,
+ "reset_password_url": reset_password_url,
+ },
+ )
+
+ end_at = time.perf_counter()
+ logger.info(
+ click.style(f"Send email register mail to {to} succeeded: latency: {end_at - start_at}", fg="green")
+ )
+ except Exception:
+ logger.exception("Send email register mail to %s failed", to)
diff --git a/api/tasks/mail_reset_password_task.py b/api/tasks/mail_reset_password_task.py
index 545db84fde..1739562588 100644
--- a/api/tasks/mail_reset_password_task.py
+++ b/api/tasks/mail_reset_password_task.py
@@ -4,6 +4,7 @@ import time
import click
from celery import shared_task
+from configs import dify_config
from extensions.ext_mail import mail
from libs.email_i18n import EmailType, get_email_i18n_service
@@ -44,3 +45,47 @@ def send_reset_password_mail_task(language: str, to: str, code: str):
)
except Exception:
logger.exception("Send password reset mail to %s failed", to)
+
+
+@shared_task(queue="mail")
+def send_reset_password_mail_task_when_account_not_exist(language: str, to: str, is_allow_register: bool) -> None:
+ """
+ Send reset password email with internationalization support when account not exist.
+
+ Args:
+ language: Language code for email localization
+ to: Recipient email address
+ """
+ if not mail.is_inited():
+ return
+
+ logger.info(click.style(f"Start password reset mail to {to}", fg="green"))
+ start_at = time.perf_counter()
+
+ try:
+ if is_allow_register:
+ sign_up_url = f"{dify_config.CONSOLE_WEB_URL}/signup"
+ email_service = get_email_i18n_service()
+ email_service.send_email(
+ email_type=EmailType.RESET_PASSWORD_WHEN_ACCOUNT_NOT_EXIST,
+ language_code=language,
+ to=to,
+ template_context={
+ "to": to,
+ "sign_up_url": sign_up_url,
+ },
+ )
+ else:
+ email_service = get_email_i18n_service()
+ email_service.send_email(
+ email_type=EmailType.RESET_PASSWORD_WHEN_ACCOUNT_NOT_EXIST_NO_REGISTER,
+ language_code=language,
+ to=to,
+ )
+
+ end_at = time.perf_counter()
+ logger.info(
+ click.style(f"Send password reset mail to {to} succeeded: latency: {end_at - start_at}", fg="green")
+ )
+ except Exception:
+ logger.exception("Send password reset mail to %s failed", to)
diff --git a/api/templates/register_email_template_en-US.html b/api/templates/register_email_template_en-US.html
new file mode 100644
index 0000000000..e0fec59100
--- /dev/null
+++ b/api/templates/register_email_template_en-US.html
@@ -0,0 +1,87 @@
+
+
+
+
+
+
+
+
+
+
+
Dify Sign-up Code
+
Your sign-up code for Dify
+
+ Copy and paste this code, this code will only be valid for the next 5 minutes.
+
+ {{code}}
+
+
If you didn't request this code, don't worry. You can safely ignore this email.
+
+
+
Dify 注册验证码
+
您的 Dify 注册验证码
+
+ 复制并粘贴此验证码,注意验证码仅在接下来的 5 分钟内有效。
+
+ {{code}}
+
+
如果您没有请求,请不要担心。您可以安全地忽略此电子邮件。
+
+
+
It looks like you’re signing up with an existing account
+
Hi,
+ We noticed you tried to sign up, but this email is already registered with an existing account.
+
+ Please log in here:
+
+ Log In
+
+
+ If you forgot your password, you can reset it here:
+
+ Reset Password
+
+
If you didn’t request this action, you can safely ignore this email.
+ Need help? Feel free to contact us at support@dify.ai.
+
+
+
您似乎正在使用现有账户注册
+
Hi,
+ 我们注意到您尝试注册,但此电子邮件已与现有账户注册。
+
+ 请在此登录:
+
+ 登录
+
+
+ 如果您忘记了密码,可以在此重置:
+
+ 重置密码
+
+
如果您没有请求此操作,您可以安全地忽略此电子邮件。
+
+ 需要帮助?随时联系我们 at support@dify.ai。
+
+
+
It looks like you’re resetting a password with an unregistered email
+
Hi,
+ We noticed you tried to reset your password, but this email is not associated with any account.
+
+
If you didn’t request this action, you can safely ignore this email.
+ Need help? Feel free to contact us at support@dify.ai.
+
+
+
看起来您正在使用未注册的电子邮件重置密码
+
Hi,
+ 我们注意到您尝试重置密码,但此电子邮件未与任何账户关联。
+
如果您没有请求此操作,您可以安全地忽略此电子邮件。
+ 需要帮助?随时联系我们 at support@dify.ai。
+
+
+
It looks like you’re resetting a password with an unregistered email
+
Hi,
+ We noticed you tried to reset your password, but this email is not associated with any account.
+
+ Please sign up here:
+
+ [Sign Up]
+
+
If you didn’t request this action, you can safely ignore this email.
+ Need help? Feel free to contact us at support@dify.ai.
+
+
+
看起来您正在使用未注册的电子邮件重置密码
+
Hi,
+ 我们注意到您尝试重置密码,但此电子邮件未与任何账户关联。
+
+ 请在此注册:
+
+ [注册]
+
+
如果您没有请求此操作,您可以安全地忽略此电子邮件。
+ 需要帮助?随时联系我们 at support@dify.ai。
+
+
{{application_title}} Sign-up Code
+
Your sign-up code for Dify
+
+ Copy and paste this code, this code will only be valid for the next 5 minutes.
+
+ {{code}}
+
+
If you didn't request this code, don't worry. You can safely ignore this email.
+
+
{{application_title}} 注册验证码
+
您的 {{application_title}} 注册验证码
+
+ 复制并粘贴此验证码,注意验证码仅在接下来的 5 分钟内有效。
+
+ {{code}}
+
+
如果您没有请求此验证码,请不要担心。您可以安全地忽略此电子邮件。
+
+
It looks like you’re signing up with an existing account
+
Hi,
+ We noticed you tried to sign up, but this email is already registered with an existing account.
+
+ Please log in here:
+
+ Log In
+
+
+ If you forgot your password, you can reset it here:
+
+ Reset Password
+
+
If you didn’t request this action, you can safely ignore this email.
+ Need help? Feel free to contact us at support@dify.ai.
+
+
您似乎正在使用现有账户注册
+
Hi,
+ 我们注意到您尝试注册,但此电子邮件已与现有账户注册。
+
+ 请在此登录:
+
+ 登录
+
+
+ 如果您忘记了密码,可以在此重置:
+
+ 重置密码
+
+
如果您没有请求此操作,您可以安全地忽略此电子邮件。
+
+ 需要帮助?随时联系我们 at support@dify.ai。
+
+
It looks like you’re resetting a password with an unregistered email
+
Hi,
+ We noticed you tried to reset your password, but this email is not associated with any account.
+
+
If you didn’t request this action, you can safely ignore this email.
+ Need help? Feel free to contact us at support@dify.ai.
+
+
看起来您正在使用未注册的电子邮件重置密码
+
Hi,
+ 我们注意到您尝试重置密码,但此电子邮件未与任何账户关联。
+
+
如果您没有请求此操作,您可以安全地忽略此电子邮件。
+ 需要帮助?随时联系我们 at support@dify.ai。
+
+
It looks like you’re resetting a password with an unregistered email
+
Hi,
+ We noticed you tried to reset your password, but this email is not associated with any account.
+
+ Please sign up here:
+
+ [Sign Up]
+
+
If you didn’t request this action, you can safely ignore this email.
+ Need help? Feel free to contact us at support@dify.ai.
+
+
看起来您正在使用未注册的电子邮件重置密码
+
Hi,
+ 我们注意到您尝试重置密码,但此电子邮件未与任何账户关联。
+
+ 请在此注册:
+
+ [注册]
+
+
如果您没有请求此操作,您可以安全地忽略此电子邮件。
+ 需要帮助?随时联系我们 at support@dify.ai。
+
+