fix: sign workflow online user avatars in app list API

2026-04-15 18:06:36 +08:00 · 2026-04-12 20:35:23 +08:00 · 2026-04-12 20:35:23 +08:00 · cadc021bfa
commit cadc021bfa
parent d8e0b499df
2 changed files with 21 additions and 4 deletions
--- a/api/controllers/console/app/workflow.py
+++ b/api/controllers/console/app/workflow.py
@ -6,7 +6,7 @@ from typing import Any
 from flask import abort, request
 from flask_restx import Resource, fields, marshal_with
 from graphon.enums import NodeType
-from graphon.file import File
+from graphon.file import File, helpers as file_helpers
 from graphon.graph_engine.manager import GraphEngineManager
 from graphon.model_runtime.utils.encoders import jsonable_encoder
 from pydantic import BaseModel, Field, ValidationError, field_validator
@ -1414,9 +1414,22 @@ class WorkflowOnlineUsersApi(Resource):
            users = []
            for _, user_info_json in users_json.items():
                try:
-                    users.append(json.loads(user_info_json))
+                    user_info = json.loads(user_info_json)
                except Exception:
                    continue
+
+                if not isinstance(user_info, dict):
+                    continue
+
+                avatar = user_info.get("avatar")
+                if isinstance(avatar, str) and avatar and not avatar.startswith(("http://", "https://")):
+                    try:
+                        user_info["avatar"] = file_helpers.get_signed_file_url(avatar)
+                    except Exception:
+                        # keep original avatar value when signing fails
+                        pass
+
+                users.append(user_info)
            results.append({"app_id": app_id, "users": users})

        return {"data": results}
--- a/api/tests/unit_tests/controllers/console/app/test_workflow.py
+++ b/api/tests/unit_tests/controllers/console/app/test_workflow.py
@ -298,12 +298,15 @@ def test_workflow_online_users_filters_inaccessible_workflow(
 ) -> None:
    app_id_1 = "11111111-1111-1111-1111-111111111111"
    app_id_2 = "22222222-2222-2222-2222-222222222222"
+    signed_avatar_url = "https://files.example.com/signed/avatar-1"
+    sign_avatar = Mock(return_value=signed_avatar_url)
    monkeypatch.setattr(workflow_module, "current_account_with_tenant", lambda: (SimpleNamespace(), "tenant-1"))
    monkeypatch.setattr(
        workflow_module,
        "WorkflowService",
        lambda: SimpleNamespace(get_accessible_app_ids=lambda app_ids, tenant_id: {app_id_1}),
    )
+    monkeypatch.setattr(workflow_module.file_helpers, "get_signed_file_url", sign_avatar)

    workflow_module.redis_client.hgetall.side_effect = lambda key: (
        {
@ -311,7 +314,7 @@ def test_workflow_online_users_filters_inaccessible_workflow(
                {
                    "user_id": "u-1",
                    "username": "Alice",
-                    "avatar": "avatar-url",
+                    "avatar": "avatar-file-id",
                    "sid": "sid-1",
                }
            )
@ -337,7 +340,7 @@ def test_workflow_online_users_filters_inaccessible_workflow(
                    {
                        "user_id": "u-1",
                        "username": "Alice",
-                        "avatar": "avatar-url",
+                        "avatar": signed_avatar_url,
                        "sid": "sid-1",
                    }
                ],
@ -347,6 +350,7 @@ def test_workflow_online_users_filters_inaccessible_workflow(
    workflow_module.redis_client.hgetall.assert_called_once_with(
        f"{workflow_module.WORKFLOW_ONLINE_USERS_PREFIX}{app_id_1}"
    )
+    sign_avatar.assert_called_once_with("avatar-file-id")


 def test_workflow_online_users_rejects_excessive_workflow_ids(