opensource/dify
2
0
Fork 0
mirror of https://github.com/langgenius/dify.git synced 2026-06-07 16:13:59 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(api): expose device-flow approve rate limit as env var (#37083)

Browse Source
This commit is contained in:
Xiyuan Chen 2026-06-04 19:56:23 -07:00 committed by GitHub
parent 8cb2cffbf7
commit a1ad4be61e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
api/configs/feature/__init__.py
View File

@ -949,6 +949,11 @@ class AuthConfig(BaseSettings):
default=60,
)
DEVICE_FLOW_APPROVE_RATE_LIMIT_PER_HOUR: PositiveInt = Field(
description="Max device-flow approve requests per session per hour on /openapi/oauth/device/approve.",
default=10,
)
class ModerationConfig(BaseSettings):
"""

6
api/controllers/openapi/oauth_device.py
View File

@ -49,8 +49,8 @@ from extensions.ext_redis import redis_client
from libs.helper import extract_remote_ip
from libs.oauth_bearer import MINTABLE_PROFILES, SubjectType, bearer_feature_required
from libs.rate_limit import (
LIMIT_APPROVE_CONSOLE,
LIMIT_DEVICE_CODE_PER_IP,
LIMIT_DEVICE_FLOW_APPROVE,
LIMIT_LOOKUP_PUBLIC,
rate_limit,
)
@ -210,7 +210,7 @@ class DeviceApproveApi(Resource):
@login_required
@account_initialization_required
@bearer_feature_required
@rate_limit(LIMIT_APPROVE_CONSOLE)
@rate_limit(LIMIT_DEVICE_FLOW_APPROVE)
@with_current_user
@with_current_tenant_id
def post(self, tenant: str, account: Account):
@ -287,7 +287,7 @@ class DeviceDenyApi(Resource):
@login_required
@account_initialization_required
@bearer_feature_required
@rate_limit(LIMIT_APPROVE_CONSOLE)
@rate_limit(LIMIT_DEVICE_FLOW_APPROVE)
def post(self):
payload = _validate_json(DeviceMutateRequest)
user_code = payload.user_code.strip().upper()

6
api/libs/rate_limit.py
View File

@ -40,7 +40,11 @@ class RateLimit:
LIMIT_DEVICE_CODE_PER_IP = RateLimit(60, timedelta(hours=1), (RateLimitScope.IP,))
LIMIT_SSO_INITIATE_PER_IP = RateLimit(60, timedelta(hours=1), (RateLimitScope.IP,))
LIMIT_APPROVE_EXT_PER_EMAIL = RateLimit(10, timedelta(hours=1), (RateLimitScope.SUBJECT_EMAIL,))
LIMIT_APPROVE_CONSOLE = RateLimit(10, timedelta(hours=1), (RateLimitScope.SESSION,))
LIMIT_DEVICE_FLOW_APPROVE = RateLimit(
limit=dify_config.DEVICE_FLOW_APPROVE_RATE_LIMIT_PER_HOUR,
window=timedelta(hours=1),
scopes=(RateLimitScope.SESSION,),
)
LIMIT_LOOKUP_PUBLIC = RateLimit(60, timedelta(minutes=5), (RateLimitScope.IP,))
LIMIT_ME_PER_ACCOUNT = RateLimit(60, timedelta(minutes=1), (RateLimitScope.ACCOUNT,))
LIMIT_ME_PER_EMAIL = RateLimit(60, timedelta(minutes=1), (RateLimitScope.SUBJECT_EMAIL,))

1
docker/envs/core-services/shared.env.example
View File

@ -225,6 +225,7 @@ OPENAPI_ENABLED=false
OPENAPI_CORS_ALLOW_ORIGINS=
OPENAPI_KNOWN_CLIENT_IDS=difyctl
OPENAPI_RATE_LIMIT_PER_TOKEN=60
DEVICE_FLOW_APPROVE_RATE_LIMIT_PER_HOUR=10
ENABLE_OAUTH_BEARER=false
DSL_EXPORT_ENCRYPT_DATASET_ID=true
DATASET_MAX_SEGMENTS_PER_REQUEST=0