opensource/dify - dify - Gitea: Git with a cup of tea

opensource/dify

Fork 0

mirror of https://github.com/langgenius/dify.git synced 2026-05-13 00:33:37 +08:00

Commit Graph

Author	SHA1	Message	Date
GareArc	8a62c1d915	chore(api): pyright + ruff cleanup for openapi/cli surface Type and lint pass over the openapi controllers, auth pipeline, and oauth bearer/device-flow plumbing. Down from 36 pyright errors and 16 ruff errors to 0/0; 93 openapi unit tests pass. Logic fixes: - libs/oauth_bearer.py: drop private-naming on the friend-API methods consumed by _VariantResolver (cache_get / cache_set_positive / cache_set_negative / hard_expire / session_factory). They were always cross-class accessors — leading underscore was misleading. Add public registry property on BearerAuthenticator. _hard_expire row_id widened to UUID \| str (matches the StringUUID column type). - libs/oauth_bearer.py: type validate_bearer / bearer_feature_required with ParamSpec / PEP-695 so wrapped routes preserve their signature. - libs/rate_limit.py: same — typed rate_limit decorator. - services/oauth_device_flow.py: mint_oauth_token / _upsert accept Session \| scoped_session (Flask-SQLAlchemy proxy). Guard row-is-None after upsert. - controllers/openapi/{chat,completion,workflow}_messages.py: tuple-vs- Mapping shape narrowing on AppGenerateService.generate return — production returns Mapping, tests mock as (body, status). Validate through Pydantic Response model in both shapes. - controllers/openapi/oauth_device.py: replace flask_restx.reqparse (banned) with Pydantic Request/Query models — DeviceCodeRequest, DevicePollRequest, DeviceLookupQuery, DeviceMutateRequest. Two PEP-695 generic helpers (_validate_json / _validate_query) translate ValidationError to BadRequest. - controllers/openapi/auth/strategies.py: Protocol param-name match (subject_type), Optional narrowing on app/tenant/account_id/subject_email. - controllers/openapi/auth/steps.py: subject_type-is-None guard before mounter dispatch. - core/app/apps/workflow/generate_task_pipeline.py + models/workflow.py: add WorkflowAppLogCreatedFrom.OPENAPI + matching match-case branch. Fixes match-exhaustiveness and possibly-unbound created_from. - libs/device_flow_security.py: pyright ignore on flask after_request hook (registered by the framework, pyright sees as unused). - services/oauth_device_flow.py: rename Exceptions to *Error suffix (StateNotFoundError / InvalidTransitionError / UserCodeExhaustedError); same for libs/oauth_bearer.py (InvalidBearerError / TokenExpiredError). Update all callers across openapi controllers. - controllers/openapi/{oauth_device,oauth_device_sso}.py + services/oauth_device_flow.py: switch logger.error in except blocks to logger.exception (TRY400) — keeps the traceback for ops. - configs/feature/__init__.py: OPENAPI_KNOWN_CLIENT_IDS computed_field needs an @property alongside for pyright to see it as a value, not a method. Matches the existing line-451 pattern. Plus ruff format + import-sort across the openapi tree (pure formatting).	2026-04-28 21:44:54 -07:00
GareArc	fe8510ad1a	feat(api,web): OAuth 2.0 device flow + bearer auth (RFC 8628) Adds a CLI-friendly authorization flow so difyctl (and future non-browser clients) can obtain user-scoped tokens without copy- pasting cookies or raw API keys. Two grant paths share one device flow surface: 1. Account branch — user signs in via the existing /signin methods, /device page calls console-authed approve, mints a dfoa_ token tied to (account_id, tenant). 2. External-SSO branch (EE) — /v1/oauth/device/sso-initiate signs an SSOState envelope, hands off to Enterprise's external ACS, receives a signed external-subject assertion, mints a dfoe_ token tied to (subject_email, subject_issuer). API surface (all under /v1, EE-only endpoints 404 on CE): POST /v1/oauth/device/code — RFC 8628 start POST /v1/oauth/device/token — RFC 8628 poll GET /v1/oauth/device/lookup — pre-validate user_code GET /v1/oauth/device/sso-initiate — SSO branch entry GET /v1/device/sso-complete — SSO callback sink GET /v1/oauth/device/approval-context — /device cookie probe POST /v1/oauth/device/approve-external — SSO approve GET /v1/me — bearer subject lookup DELETE /v1/oauth/authorizations/self — self-revoke POST /console/api/oauth/device/approve — account approve POST /console/api/oauth/device/deny — account deny Core primitives: - libs/oauth_bearer.py: prefix-keyed TokenKindRegistry + BearerAuthenticator + validate_bearer decorator. Two-tier scope (full vs apps:run) stamped from the registry, never from the DB. - libs/jws.py: HS256 compact JWS keyed on the shared Dify SECRET_KEY — same key-set verifies the SSOState envelope, the external-subject assertion (minted by Enterprise), and the approval-grant cookie. - libs/device_flow_security.py: enterprise_only gate, approval- grant cookie mint/verify/consume (Path=/v1/oauth/device, HttpOnly, SameSite=Lax, Secure follows is_secure()), anti- framing headers. - libs/rate_limit.py: typed RateLimit / RateLimitScope dispatch with composite-key buckets; both decorator + imperative form. - services/oauth_device_flow.py: Redis state machine (PENDING -> APPROVED\|DENIED with atomic consume-on-poll), token mint via partial unique index uq_oauth_active_per_device (rotates in place), env-driven TTL policy. Storage: oauth_access_tokens table with partial unique index on (subject_email, subject_issuer, client_id, device_label) WHERE revoked_at IS NULL. account_id NULL distinguishes external-SSO rows. Hard-expire is CAS UPDATE (revoked_at + nullify token_hash) so audit events keep their token_id. Retention pruner DELETEs revoked + zombie-expired rows past OAUTH_ACCESS_TOKEN_RETENTION_DAYS. Frontend: /device page with code-entry, chooser (account vs SSO), authorize-account, authorize-sso views. SSO branch detaches from the URL user_code and reads everything from the cookie via /approval-context. Anti-framing headers on all responses. Wiring: ENABLE_OAUTH_BEARER feature flag; ext_oauth_bearer binds the authenticator at startup; clean_oauth_access_tokens_task scheduled in ext_celery. Spec: docs/specs/v1.0/server/{device-flow,tokens,middleware,security}.md	2026-04-26 20:06:43 -07:00

Author

SHA1

Message

Date

GareArc

8a62c1d915

chore(api): pyright + ruff cleanup for openapi/cli surface

Type and lint pass over the openapi controllers, auth pipeline, and
oauth bearer/device-flow plumbing. Down from 36 pyright errors and 16
ruff errors to 0/0; 93 openapi unit tests pass.

Logic fixes:
- libs/oauth_bearer.py: drop private-naming on the friend-API methods
  consumed by _VariantResolver (cache_get / cache_set_positive /
  cache_set_negative / hard_expire / session_factory). They were always
  cross-class accessors — leading underscore was misleading. Add public
  registry property on BearerAuthenticator. _hard_expire row_id widened
  to UUID | str (matches the StringUUID column type).
- libs/oauth_bearer.py: type validate_bearer / bearer_feature_required
  with ParamSpec / PEP-695 so wrapped routes preserve their signature.
- libs/rate_limit.py: same — typed rate_limit decorator.
- services/oauth_device_flow.py: mint_oauth_token / _upsert accept
  Session | scoped_session (Flask-SQLAlchemy proxy). Guard row-is-None
  after upsert.
- controllers/openapi/{chat,completion,workflow}_messages.py: tuple-vs-
  Mapping shape narrowing on AppGenerateService.generate return —
  production returns Mapping, tests mock as (body, status). Validate
  through Pydantic Response model in both shapes.
- controllers/openapi/oauth_device.py: replace flask_restx.reqparse (banned)
  with Pydantic Request/Query models — DeviceCodeRequest, DevicePollRequest,
  DeviceLookupQuery, DeviceMutateRequest. Two PEP-695 generic helpers
  (_validate_json / _validate_query) translate ValidationError to BadRequest.
- controllers/openapi/auth/strategies.py: Protocol param-name match
  (subject_type), Optional narrowing on app/tenant/account_id/subject_email.
- controllers/openapi/auth/steps.py: subject_type-is-None guard before
  mounter dispatch.
- core/app/apps/workflow/generate_task_pipeline.py + models/workflow.py:
  add WorkflowAppLogCreatedFrom.OPENAPI + matching match-case branch.
  Fixes match-exhaustiveness and possibly-unbound created_from.
- libs/device_flow_security.py: pyright ignore on flask after_request
  hook (registered by the framework, pyright sees as unused).
- services/oauth_device_flow.py: rename Exceptions to *Error suffix
  (StateNotFoundError / InvalidTransitionError / UserCodeExhaustedError);
  same for libs/oauth_bearer.py (InvalidBearerError / TokenExpiredError).
  Update all callers across openapi controllers.
- controllers/openapi/{oauth_device,oauth_device_sso}.py +
  services/oauth_device_flow.py: switch logger.error in except blocks
  to logger.exception (TRY400) — keeps the traceback for ops.
- configs/feature/__init__.py: OPENAPI_KNOWN_CLIENT_IDS computed_field
  needs an @property alongside for pyright to see it as a value, not a
  method. Matches the existing line-451 pattern.

Plus ruff format + import-sort across the openapi tree (pure formatting).

2026-04-28 21:44:54 -07:00

GareArc

fe8510ad1a

feat(api,web): OAuth 2.0 device flow + bearer auth (RFC 8628)

Adds a CLI-friendly authorization flow so difyctl (and future
non-browser clients) can obtain user-scoped tokens without copy-
pasting cookies or raw API keys. Two grant paths share one device
flow surface:

  1. Account branch — user signs in via the existing /signin
     methods, /device page calls console-authed approve, mints a
     dfoa_ token tied to (account_id, tenant).
  2. External-SSO branch (EE) — /v1/oauth/device/sso-initiate signs
     an SSOState envelope, hands off to Enterprise's external ACS,
     receives a signed external-subject assertion, mints a dfoe_
     token tied to (subject_email, subject_issuer).

API surface (all under /v1, EE-only endpoints 404 on CE):

  POST   /v1/oauth/device/code              — RFC 8628 start
  POST   /v1/oauth/device/token             — RFC 8628 poll
  GET    /v1/oauth/device/lookup            — pre-validate user_code
  GET    /v1/oauth/device/sso-initiate      — SSO branch entry
  GET    /v1/device/sso-complete            — SSO callback sink
  GET    /v1/oauth/device/approval-context  — /device cookie probe
  POST   /v1/oauth/device/approve-external  — SSO approve
  GET    /v1/me                             — bearer subject lookup
  DELETE /v1/oauth/authorizations/self      — self-revoke
  POST   /console/api/oauth/device/approve  — account approve
  POST   /console/api/oauth/device/deny     — account deny

Core primitives:
- libs/oauth_bearer.py: prefix-keyed TokenKindRegistry +
  BearerAuthenticator + validate_bearer decorator. Two-tier scope
  (full vs apps:run) stamped from the registry, never from the DB.
- libs/jws.py: HS256 compact JWS keyed on the shared Dify
  SECRET_KEY — same key-set verifies the SSOState envelope, the
  external-subject assertion (minted by Enterprise), and the
  approval-grant cookie.
- libs/device_flow_security.py: enterprise_only gate, approval-
  grant cookie mint/verify/consume (Path=/v1/oauth/device,
  HttpOnly, SameSite=Lax, Secure follows is_secure()), anti-
  framing headers.
- libs/rate_limit.py: typed RateLimit / RateLimitScope dispatch
  with composite-key buckets; both decorator + imperative form.
- services/oauth_device_flow.py: Redis state machine (PENDING ->
  APPROVED|DENIED with atomic consume-on-poll), token mint via
  partial unique index uq_oauth_active_per_device (rotates in
  place), env-driven TTL policy.

Storage: oauth_access_tokens table with partial unique index on
(subject_email, subject_issuer, client_id, device_label) WHERE
revoked_at IS NULL. account_id NULL distinguishes external-SSO
rows. Hard-expire is CAS UPDATE (revoked_at + nullify token_hash)
so audit events keep their token_id. Retention pruner DELETEs
revoked + zombie-expired rows past OAUTH_ACCESS_TOKEN_RETENTION_DAYS.

Frontend: /device page with code-entry, chooser (account vs SSO),
authorize-account, authorize-sso views. SSO branch detaches from
the URL user_code and reads everything from the cookie via
/approval-context. Anti-framing headers on all responses.

Wiring: ENABLE_OAUTH_BEARER feature flag; ext_oauth_bearer binds
the authenticator at startup; clean_oauth_access_tokens_task
scheduled in ext_celery.

Spec: docs/specs/v1.0/server/{device-flow,tokens,middleware,security}.md

2026-04-26 20:06:43 -07:00

2 Commits