mirror of
https://github.com/langgenius/dify.git
synced 2026-07-14 08:57:02 +08:00
feat(openapi): distinguish expired OAuth bearer from invalid token
Previously an expired OAuth bearer and an unknown/invalid one both surfaced as an indistinguishable generic 401 (and an invalid token actually leaked a 500), so a client could not tell "session expired, re-authenticate" apart from "never authenticated." The resolver now raises a distinct TokenExpiredError for expired DB rows and records a separate `expired` negative-cache marker, so a retry within the negative-cache TTL still reports expiry instead of collapsing into a generic miss. The auth pipeline maps the two domain errors to unified OpenApiError responses: SessionExpired (code `token_expired`) and InvalidBearer (code `unauthorized`), both 401. This also fixes the latent 500 on invalid bearers. The `token_expired` code is synced through the contract codegen into the generated types/zod, and the difyctl error mapper branches the 401 on it. The CLI `expired_token` taxonomy member (RFC 8628 device-flow code expiry) is merged into `token_expired`; the RFC 8628 wire value is unchanged. Closes WTA-1062
This commit is contained in:
@ -34,6 +34,7 @@ class OpenApiErrorCode(StrEnum):
|
||||
# transport-generic (resolved from HTTP status for plain werkzeug raises)
|
||||
BAD_REQUEST = "bad_request"
|
||||
UNAUTHORIZED = "unauthorized"
|
||||
TOKEN_EXPIRED = "token_expired"
|
||||
FORBIDDEN = "forbidden"
|
||||
NOT_FOUND = "not_found"
|
||||
METHOD_NOT_ALLOWED = "method_not_allowed"
|
||||
@ -223,6 +224,19 @@ class OpenApiErrorFormatter:
|
||||
return isinstance(part, (str, int)) and not isinstance(part, bool)
|
||||
|
||||
|
||||
class InvalidBearer(OpenApiError): # noqa: N818
|
||||
code = 401
|
||||
error_code = OpenApiErrorCode.UNAUTHORIZED
|
||||
description = "Invalid or unknown bearer token."
|
||||
|
||||
|
||||
class SessionExpired(OpenApiError): # noqa: N818
|
||||
code = 401
|
||||
error_code = OpenApiErrorCode.TOKEN_EXPIRED
|
||||
description = "Your session has expired."
|
||||
hint = "Re-authenticate to continue (e.g. re-run your login command)."
|
||||
|
||||
|
||||
class FilenameNotExists(OpenApiError): # noqa: N818
|
||||
code = 400
|
||||
error_code = OpenApiErrorCode.FILENAME_NOT_EXISTS
|
||||
|
||||
Reference in New Issue
Block a user