youngkingdom/dify - dify - Gitea: Git with a cup of tea

youngkingdom/dify

Fork 0

mirror of https://github.com/langgenius/dify.git synced 2026-05-20 16:57:01 +08:00

Commit Graph

Author	SHA1	Message	Date
GareArc	591048d7c2	feat(openapi): bearer auth pipeline + Layer 0 + per-token rate limit (CE) Bearer auth surface for /openapi/v1/* run-routes: - OAUTH_BEARER_PIPELINE (renamed from APP_PIPELINE for clarity outside this module) composes BearerCheck → ScopeCheck → AppResolver → WorkspaceMembershipCheck → AppAuthzCheck → CallerMount. - BearerAuthenticator.authenticate() is the single source of identity + rate-limit. Both pipeline (BearerCheck) and decorator (validate_bearer) delegate to it, so per-token rate limit fires exactly once per request. - Layer 0 (workspace membership) is CE-only; on EE the gateway owns tenant isolation. Verdicts are cached on the AuthContext entry as verified_tenants: dict[str, bool] (legacy "ok"/"denied" strings tolerated by from_cache for one TTL cycle, then removed). - check_workspace_membership(...) is the shared core; the pipeline step and the inline require_workspace_member helper both delegate to it. - Per-token rate limit: 60/min sliding window, RFC-7231-compliant 429 with Retry-After header + JSON body { error, retry_after_ms }. Bucket key is sha256(token) so all replicas share state via Redis. API hygiene: - Scope StrEnum (FULL, APPS_READ, APPS_RUN) replaces bare string literals. - /openapi/v1/apps/<id>/info: scope flipped from apps:run to apps:read. - /info migrates off the pipeline to validate_bearer + require_scope + require_workspace_member (no AppAuthzCheck/CallerMount needed for reads). - ResolvedRow gains to_cache() / from_cache() classmethods. - AuthContext gains token_hash + verified_tenants, dropping the per-route re-hash and per-request Redis read on the cache hit path. OPENAPI_RATE_LIMIT_PER_TOKEN config (default 60).	2026-05-05 18:07:47 -07:00
GareArc	cf5ebe9430	feat(openapi): app-run endpoints with auth pipeline Ports service_api/app/{completion,workflow}.py to bearer-authed /openapi/v1/apps/<app_id>/{info,chat-messages,completion-messages,workflows/run}. Architecture: - New controllers/openapi/auth/ package: Pipeline + Step protocol over one mutable Context. Endpoints attach via @APP_PIPELINE.guard(scope=...) — single attachment point; forgetting auth is structurally impossible. - Pipeline order: BearerCheck -> ScopeCheck -> AppResolver -> AppAuthzCheck -> CallerMount. - Strategies vary along independent axes: AclStrategy (EE webapp-auth inner API) vs MembershipStrategy (CE TenantAccountJoin); AccountMounter vs EndUserMounter dispatched by SubjectType. - App is in URL path (not header). Each non-GET has typed Pydantic Request; each non-SSE response has typed Pydantic Response. Bearer-as-identity: body 'user' field stripped, ignored if present. Adds InvokeFrom.OPENAPI enum variant. Emits app.run.openapi audit log on successful invocation via standard logger extra={"audit": True, ...} convention.	2026-04-27 17:25:17 -07:00

Author

SHA1

Message

Date

GareArc

591048d7c2

feat(openapi): bearer auth pipeline + Layer 0 + per-token rate limit (CE)

Bearer auth surface for /openapi/v1/* run-routes:

- OAUTH_BEARER_PIPELINE (renamed from APP_PIPELINE for clarity outside this
  module) composes BearerCheck → ScopeCheck → AppResolver →
  WorkspaceMembershipCheck → AppAuthzCheck → CallerMount.
- BearerAuthenticator.authenticate() is the single source of identity +
  rate-limit. Both pipeline (BearerCheck) and decorator (validate_bearer)
  delegate to it, so per-token rate limit fires exactly once per request.
- Layer 0 (workspace membership) is CE-only; on EE the gateway owns
  tenant isolation. Verdicts are cached on the AuthContext entry as
  verified_tenants: dict[str, bool] (legacy "ok"/"denied" strings tolerated
  by from_cache for one TTL cycle, then removed).
- check_workspace_membership(...) is the shared core; the pipeline step
  and the inline require_workspace_member helper both delegate to it.
- Per-token rate limit: 60/min sliding window, RFC-7231-compliant 429
  with Retry-After header + JSON body { error, retry_after_ms }. Bucket
  key is sha256(token) so all replicas share state via Redis.

API hygiene:
- Scope StrEnum (FULL, APPS_READ, APPS_RUN) replaces bare string literals.
- /openapi/v1/apps/<id>/info: scope flipped from apps:run to apps:read.
- /info migrates off the pipeline to validate_bearer + require_scope +
  require_workspace_member (no AppAuthzCheck/CallerMount needed for reads).
- ResolvedRow gains to_cache() / from_cache() classmethods.
- AuthContext gains token_hash + verified_tenants, dropping the per-route
  re-hash and per-request Redis read on the cache hit path.

OPENAPI_RATE_LIMIT_PER_TOKEN config (default 60).

2026-05-05 18:07:47 -07:00

GareArc

cf5ebe9430

feat(openapi): app-run endpoints with auth pipeline

Ports service_api/app/{completion,workflow}.py to bearer-authed
/openapi/v1/apps/<app_id>/{info,chat-messages,completion-messages,workflows/run}.

Architecture:
- New controllers/openapi/auth/ package: Pipeline + Step protocol over
  one mutable Context. Endpoints attach via @APP_PIPELINE.guard(scope=...)
  — single attachment point; forgetting auth is structurally impossible.
- Pipeline order: BearerCheck -> ScopeCheck -> AppResolver -> AppAuthzCheck
  -> CallerMount.
- Strategies vary along independent axes: AclStrategy (EE webapp-auth inner
  API) vs MembershipStrategy (CE TenantAccountJoin); AccountMounter vs
  EndUserMounter dispatched by SubjectType.
- App is in URL path (not header). Each non-GET has typed Pydantic Request;
  each non-SSE response has typed Pydantic Response. Bearer-as-identity:
  body 'user' field stripped, ignored if present.

Adds InvokeFrom.OPENAPI enum variant. Emits app.run.openapi audit log
on successful invocation via standard logger extra={"audit": True, ...}
convention.

2026-04-27 17:25:17 -07:00

2 Commits