youngkingdom/dify - dify - Gitea: Git with a cup of tea

youngkingdom/dify

Fork 0

mirror of https://github.com/langgenius/dify.git synced 2026-05-21 17:20:25 +08:00

Commit Graph

Author	SHA1	Message	Date
GareArc	35c08f7c3d	feat(enterprise): wire /apps/permitted via EE wrapper (app_ids only) services/enterprise/app_permitted_service.list_permitted_apps calls EnterpriseService.WebAppAuth.list_externally_accessible_apps and decodes the camelCase wrapper response into a PermittedAppsPage carrying just app_ids. The controller hydrates name/mode/tenant/etc. from local App/Tenant rows. The EE response shape is {data: [appId], total, hasMore} per ee-2. EE owns access control only; dify/api owns app data, so the older inner-API metadata fanout (/inner/api/enterprise/apps/batch-metadata) is removed. - delete controllers/inner_api/app/metadata.py + its test - service: ServiceUnavailable on EnterpriseAPIError; 5s timeout via wrapper - controller: drop fail-fast subject check + unused g/InternalServerError imports	2026-05-06 22:50:10 -07:00
GareArc	d1c1c04615	fix(openapi): /apps/permitted hardening + naming - fail-fast on missing subject_email/subject_issuer for dfoe_ bearers (was silently coercing None -> empty string and sending a malformed query upstream). - document the has_more contract: total comes from EE inner-API unfiltered count; locally-dropped archived rows leave len(items) < limit even when has_more=True. - gate tenant-name lookup in /apps on non-empty rows so empty filter results skip the wasted scalar query. - rename AppListPermittedApi -> AppPermittedListApi for word-order consistency with AppPermittedListQuery. - tests: positive mode acceptance and explicit dfoa_ non-carrier assertion.	2026-05-05 21:12:33 -07:00
GareArc	04ebf8a92f	feat(openapi): /apps/permitted — external-subject app discovery (EE) Split route for dfoe_ external-SSO discovery, separate from /apps (dfoa_-only workspace catalog). Cross-tenant allow-list query: server calls Enterprise inner-API POST /inner/api/webapp/permitted-apps and hydrates app/tenant rows locally. New scope apps:read:permitted (no dual-meaning with apps:read). Route gated by @enterprise_only — 404 on CE — and validate_bearer(accept=ACCEPT_USER_EXT_SSO) — 403 on dfoa_. Query validator rejects workspace_id and tag (cross-tenant unresolvable); mode/name supported. EE inner-API wire-up depends on ee-2; the service-layer stub raises ServiceUnavailable until that endpoint ships. CLI dispatches between /apps and /apps/permitted client-side based on the bearer prefix in hosts.yml — see docs/specs/v1.0/apps.md §Subject dispatch. Verified via unit tests on AppPermittedListQuery and Scope wiring; HTTP integration tests deferred to ee-2 once the inner-API ships.	2026-05-05 20:20:22 -07:00

Author

SHA1

Message

Date

GareArc

35c08f7c3d

feat(enterprise): wire /apps/permitted via EE wrapper (app_ids only)

services/enterprise/app_permitted_service.list_permitted_apps calls
EnterpriseService.WebAppAuth.list_externally_accessible_apps and decodes
the camelCase wrapper response into a PermittedAppsPage carrying just
app_ids. The controller hydrates name/mode/tenant/etc. from local
App/Tenant rows.

The EE response shape is {data: [appId], total, hasMore} per ee-2. EE owns
access control only; dify/api owns app data, so the older inner-API
metadata fanout (/inner/api/enterprise/apps/batch-metadata) is removed.

- delete controllers/inner_api/app/metadata.py + its test
- service: ServiceUnavailable on EnterpriseAPIError; 5s timeout via wrapper
- controller: drop fail-fast subject check + unused g/InternalServerError
  imports

2026-05-06 22:50:10 -07:00

GareArc

d1c1c04615

fix(openapi): /apps/permitted hardening + naming

- fail-fast on missing subject_email/subject_issuer for dfoe_
  bearers (was silently coercing None -> empty string and sending
  a malformed query upstream).
- document the has_more contract: total comes from EE inner-API
  unfiltered count; locally-dropped archived rows leave
  len(items) < limit even when has_more=True.
- gate tenant-name lookup in /apps on non-empty rows so empty
  filter results skip the wasted scalar query.
- rename AppListPermittedApi -> AppPermittedListApi for word-order
  consistency with AppPermittedListQuery.
- tests: positive mode acceptance and explicit dfoa_ non-carrier
  assertion.

2026-05-05 21:12:33 -07:00

GareArc

04ebf8a92f

feat(openapi): /apps/permitted — external-subject app discovery (EE)

Split route for dfoe_ external-SSO discovery, separate from /apps
(dfoa_-only workspace catalog). Cross-tenant allow-list query: server
calls Enterprise inner-API POST /inner/api/webapp/permitted-apps and
hydrates app/tenant rows locally. New scope apps:read:permitted (no
dual-meaning with apps:read). Route gated by @enterprise_only — 404
on CE — and validate_bearer(accept=ACCEPT_USER_EXT_SSO) — 403 on dfoa_.
Query validator rejects workspace_id and tag (cross-tenant
unresolvable); mode/name supported.

EE inner-API wire-up depends on ee-2; the service-layer stub raises
ServiceUnavailable until that endpoint ships. CLI dispatches between
/apps and /apps/permitted client-side based on the bearer prefix in
hosts.yml — see docs/specs/v1.0/apps.md §Subject dispatch.

Verified via unit tests on AppPermittedListQuery and Scope wiring;
HTTP integration tests deferred to ee-2 once the inner-API ships.

2026-05-05 20:20:22 -07:00

3 Commits