opensource/dify - dify - Gitea: Git with a cup of tea

opensource/dify

Fork 0

mirror of https://github.com/langgenius/dify.git synced 2026-05-12 15:58:19 +08:00

Commit Graph

Author	SHA1	Message	Date
GareArc	8a62c1d915	chore(api): pyright + ruff cleanup for openapi/cli surface Type and lint pass over the openapi controllers, auth pipeline, and oauth bearer/device-flow plumbing. Down from 36 pyright errors and 16 ruff errors to 0/0; 93 openapi unit tests pass. Logic fixes: - libs/oauth_bearer.py: drop private-naming on the friend-API methods consumed by _VariantResolver (cache_get / cache_set_positive / cache_set_negative / hard_expire / session_factory). They were always cross-class accessors — leading underscore was misleading. Add public registry property on BearerAuthenticator. _hard_expire row_id widened to UUID \| str (matches the StringUUID column type). - libs/oauth_bearer.py: type validate_bearer / bearer_feature_required with ParamSpec / PEP-695 so wrapped routes preserve their signature. - libs/rate_limit.py: same — typed rate_limit decorator. - services/oauth_device_flow.py: mint_oauth_token / _upsert accept Session \| scoped_session (Flask-SQLAlchemy proxy). Guard row-is-None after upsert. - controllers/openapi/{chat,completion,workflow}_messages.py: tuple-vs- Mapping shape narrowing on AppGenerateService.generate return — production returns Mapping, tests mock as (body, status). Validate through Pydantic Response model in both shapes. - controllers/openapi/oauth_device.py: replace flask_restx.reqparse (banned) with Pydantic Request/Query models — DeviceCodeRequest, DevicePollRequest, DeviceLookupQuery, DeviceMutateRequest. Two PEP-695 generic helpers (_validate_json / _validate_query) translate ValidationError to BadRequest. - controllers/openapi/auth/strategies.py: Protocol param-name match (subject_type), Optional narrowing on app/tenant/account_id/subject_email. - controllers/openapi/auth/steps.py: subject_type-is-None guard before mounter dispatch. - core/app/apps/workflow/generate_task_pipeline.py + models/workflow.py: add WorkflowAppLogCreatedFrom.OPENAPI + matching match-case branch. Fixes match-exhaustiveness and possibly-unbound created_from. - libs/device_flow_security.py: pyright ignore on flask after_request hook (registered by the framework, pyright sees as unused). - services/oauth_device_flow.py: rename Exceptions to *Error suffix (StateNotFoundError / InvalidTransitionError / UserCodeExhaustedError); same for libs/oauth_bearer.py (InvalidBearerError / TokenExpiredError). Update all callers across openapi controllers. - controllers/openapi/{oauth_device,oauth_device_sso}.py + services/oauth_device_flow.py: switch logger.error in except blocks to logger.exception (TRY400) — keeps the traceback for ops. - configs/feature/__init__.py: OPENAPI_KNOWN_CLIENT_IDS computed_field needs an @property alongside for pyright to see it as a value, not a method. Matches the existing line-451 pattern. Plus ruff format + import-sort across the openapi tree (pure formatting).	2026-04-28 21:44:54 -07:00
GareArc	0b3b0b5ce8	feat(api): retire legacy /v1/* and /console/api device-flow mounts (Phase F) Web and CLI consumers now hit /openapi/v1/* directly, so the dual-mount shims can go: - controllers/oauth_device_sso.py (legacy /v1/oauth/device/sso-* + /v1/device/sso-complete) - controllers/service_api/oauth.py (legacy /v1/oauth/device/*, /v1/me, /v1/oauth/authorizations/self) - controllers/console/auth/oauth_device.py (placeholder for legacy /console/api/oauth/device/{approve,deny}) - the deferred _register_legacy_console_mount() inside openapi/oauth_device.py Imports in controllers/console/__init__.py, controllers/service_api/__init__.py, and extensions/ext_blueprints.py pruned. Tests rewritten to openapi-only.	2026-04-27 00:45:10 -07:00
GareArc	2a38df2b7f	refactor(api): consolidate openapi/oauth_device into per-domain modules Match the existing api-group convention: one module per resource family with multiple Resource classes per file (cf service_api/dataset/dataset.py with 7 routes, console/auth/oauth_device.py with 2 before this branch). The Phase B-D fragmentation (one file per route under controllers/openapi/oauth_device/) was inconsistent with the codebase. Collapse into: controllers/openapi/oauth_device.py (5 routes: code, token, lookup, approve, deny — account branch) controllers/openapi/oauth_device_sso.py (4 routes: sso-initiate, sso-complete, approval-context, approve-external — EE-only SSO branch) The split mirrors the original pre-migration layout: account branch in console/auth/oauth_device.py, SSO branch in controllers/oauth_device_sso.py (root). Both legacy mount files updated to import from the new modules. No behavior change; 59 tests still green. Test files updated to import from the consolidated module paths. Plan: docs/superpowers/plans/2026-04-26-openapi-migration.md (in difyctl repo).	2026-04-27 00:07:15 -07:00

Author

SHA1

Message

Date

GareArc

8a62c1d915

chore(api): pyright + ruff cleanup for openapi/cli surface

Type and lint pass over the openapi controllers, auth pipeline, and
oauth bearer/device-flow plumbing. Down from 36 pyright errors and 16
ruff errors to 0/0; 93 openapi unit tests pass.

Logic fixes:
- libs/oauth_bearer.py: drop private-naming on the friend-API methods
  consumed by _VariantResolver (cache_get / cache_set_positive /
  cache_set_negative / hard_expire / session_factory). They were always
  cross-class accessors — leading underscore was misleading. Add public
  registry property on BearerAuthenticator. _hard_expire row_id widened
  to UUID | str (matches the StringUUID column type).
- libs/oauth_bearer.py: type validate_bearer / bearer_feature_required
  with ParamSpec / PEP-695 so wrapped routes preserve their signature.
- libs/rate_limit.py: same — typed rate_limit decorator.
- services/oauth_device_flow.py: mint_oauth_token / _upsert accept
  Session | scoped_session (Flask-SQLAlchemy proxy). Guard row-is-None
  after upsert.
- controllers/openapi/{chat,completion,workflow}_messages.py: tuple-vs-
  Mapping shape narrowing on AppGenerateService.generate return —
  production returns Mapping, tests mock as (body, status). Validate
  through Pydantic Response model in both shapes.
- controllers/openapi/oauth_device.py: replace flask_restx.reqparse (banned)
  with Pydantic Request/Query models — DeviceCodeRequest, DevicePollRequest,
  DeviceLookupQuery, DeviceMutateRequest. Two PEP-695 generic helpers
  (_validate_json / _validate_query) translate ValidationError to BadRequest.
- controllers/openapi/auth/strategies.py: Protocol param-name match
  (subject_type), Optional narrowing on app/tenant/account_id/subject_email.
- controllers/openapi/auth/steps.py: subject_type-is-None guard before
  mounter dispatch.
- core/app/apps/workflow/generate_task_pipeline.py + models/workflow.py:
  add WorkflowAppLogCreatedFrom.OPENAPI + matching match-case branch.
  Fixes match-exhaustiveness and possibly-unbound created_from.
- libs/device_flow_security.py: pyright ignore on flask after_request
  hook (registered by the framework, pyright sees as unused).
- services/oauth_device_flow.py: rename Exceptions to *Error suffix
  (StateNotFoundError / InvalidTransitionError / UserCodeExhaustedError);
  same for libs/oauth_bearer.py (InvalidBearerError / TokenExpiredError).
  Update all callers across openapi controllers.
- controllers/openapi/{oauth_device,oauth_device_sso}.py +
  services/oauth_device_flow.py: switch logger.error in except blocks
  to logger.exception (TRY400) — keeps the traceback for ops.
- configs/feature/__init__.py: OPENAPI_KNOWN_CLIENT_IDS computed_field
  needs an @property alongside for pyright to see it as a value, not a
  method. Matches the existing line-451 pattern.

Plus ruff format + import-sort across the openapi tree (pure formatting).

2026-04-28 21:44:54 -07:00

GareArc

0b3b0b5ce8

feat(api): retire legacy /v1/* and /console/api device-flow mounts (Phase F)

Web and CLI consumers now hit /openapi/v1/* directly, so the dual-mount
shims can go:
  - controllers/oauth_device_sso.py (legacy /v1/oauth/device/sso-* + /v1/device/sso-complete)
  - controllers/service_api/oauth.py (legacy /v1/oauth/device/*, /v1/me, /v1/oauth/authorizations/self)
  - controllers/console/auth/oauth_device.py (placeholder for legacy /console/api/oauth/device/{approve,deny})
  - the deferred _register_legacy_console_mount() inside openapi/oauth_device.py

Imports in controllers/console/__init__.py, controllers/service_api/__init__.py,
and extensions/ext_blueprints.py pruned. Tests rewritten to openapi-only.

2026-04-27 00:45:10 -07:00

GareArc

2a38df2b7f

refactor(api): consolidate openapi/oauth_device into per-domain modules

Match the existing api-group convention: one module per resource family
with multiple Resource classes per file (cf service_api/dataset/dataset.py
with 7 routes, console/auth/oauth_device.py with 2 before this branch).

The Phase B-D fragmentation (one file per route under
controllers/openapi/oauth_device/) was inconsistent with the codebase.
Collapse into:

  controllers/openapi/oauth_device.py        (5 routes: code, token,
                                              lookup, approve, deny —
                                              account branch)
  controllers/openapi/oauth_device_sso.py    (4 routes: sso-initiate,
                                              sso-complete,
                                              approval-context,
                                              approve-external —
                                              EE-only SSO branch)

The split mirrors the original pre-migration layout: account branch in
console/auth/oauth_device.py, SSO branch in controllers/oauth_device_sso.py
(root). Both legacy mount files updated to import from the new modules.

No behavior change; 59 tests still green. Test files updated to import
from the consolidated module paths.

Plan: docs/superpowers/plans/2026-04-26-openapi-migration.md (in difyctl repo).

2026-04-27 00:07:15 -07:00

3 Commits