mirror of
https://github.com/langgenius/dify.git
synced 2026-05-20 08:46:57 +08:00
04ebf8a92f
Split route for dfoe_ external-SSO discovery, separate from /apps (dfoa_-only workspace catalog). Cross-tenant allow-list query: server calls Enterprise inner-API POST /inner/api/webapp/permitted-apps and hydrates app/tenant rows locally. New scope apps:read:permitted (no dual-meaning with apps:read). Route gated by @enterprise_only — 404 on CE — and validate_bearer(accept=ACCEPT_USER_EXT_SSO) — 403 on dfoa_. Query validator rejects workspace_id and tag (cross-tenant unresolvable); mode/name supported. EE inner-API wire-up depends on ee-2; the service-layer stub raises ServiceUnavailable until that endpoint ships. CLI dispatches between /apps and /apps/permitted client-side based on the bearer prefix in hosts.yml — see docs/specs/v1.0/apps.md §Subject dispatch. Verified via unit tests on AppPermittedListQuery and Scope wiring; HTTP integration tests deferred to ee-2 once the inner-API ships.
48 lines
924 B
Python
48 lines
924 B
Python
from flask import Blueprint
|
|
from flask_restx import Namespace
|
|
|
|
from libs.device_flow_security import attach_anti_framing
|
|
from libs.external_api import ExternalApi
|
|
|
|
bp = Blueprint("openapi", __name__, url_prefix="/openapi/v1")
|
|
attach_anti_framing(bp)
|
|
|
|
api = ExternalApi(
|
|
bp,
|
|
version="1.0",
|
|
title="OpenAPI",
|
|
description="User-scoped programmatic API (bearer auth)",
|
|
)
|
|
|
|
openapi_ns = Namespace("openapi", description="User-scoped operations", path="/")
|
|
|
|
from . import (
|
|
account,
|
|
app_info,
|
|
apps,
|
|
apps_permitted,
|
|
chat_messages,
|
|
completion_messages,
|
|
index,
|
|
oauth_device,
|
|
oauth_device_sso,
|
|
workflow_run,
|
|
workspaces,
|
|
)
|
|
|
|
__all__ = [
|
|
"account",
|
|
"app_info",
|
|
"apps",
|
|
"apps_permitted",
|
|
"chat_messages",
|
|
"completion_messages",
|
|
"index",
|
|
"oauth_device",
|
|
"oauth_device_sso",
|
|
"workflow_run",
|
|
"workspaces",
|
|
]
|
|
|
|
api.add_namespace(openapi_ns)
|