mirror of
https://github.com/langgenius/dify.git
synced 2026-05-17 07:26:23 +08:00
591048d7c2
Bearer auth surface for /openapi/v1/* run-routes:
- OAUTH_BEARER_PIPELINE (renamed from APP_PIPELINE for clarity outside this
module) composes BearerCheck → ScopeCheck → AppResolver →
WorkspaceMembershipCheck → AppAuthzCheck → CallerMount.
- BearerAuthenticator.authenticate() is the single source of identity +
rate-limit. Both pipeline (BearerCheck) and decorator (validate_bearer)
delegate to it, so per-token rate limit fires exactly once per request.
- Layer 0 (workspace membership) is CE-only; on EE the gateway owns
tenant isolation. Verdicts are cached on the AuthContext entry as
verified_tenants: dict[str, bool] (legacy "ok"/"denied" strings tolerated
by from_cache for one TTL cycle, then removed).
- check_workspace_membership(...) is the shared core; the pipeline step
and the inline require_workspace_member helper both delegate to it.
- Per-token rate limit: 60/min sliding window, RFC-7231-compliant 429
with Retry-After header + JSON body { error, retry_after_ms }. Bucket
key is sha256(token) so all replicas share state via Redis.
API hygiene:
- Scope StrEnum (FULL, APPS_READ, APPS_RUN) replaces bare string literals.
- /openapi/v1/apps/<id>/info: scope flipped from apps:run to apps:read.
- /info migrates off the pipeline to validate_bearer + require_scope +
require_workspace_member (no AppAuthzCheck/CallerMount needed for reads).
- ResolvedRow gains to_cache() / from_cache() classmethods.
- AuthContext gains token_hash + verified_tenants, dropping the per-route
re-hash and per-request Redis read on the cache hit path.
OPENAPI_RATE_LIMIT_PER_TOKEN config (default 60).
47 lines
1.3 KiB
Python
47 lines
1.3 KiB
Python
"""Mutable per-request context for the openapi auth pipeline.
|
|
|
|
Every field starts None / empty and is filled in by a step. The pipeline
|
|
is the only thing that should construct or mutate Context — handlers
|
|
read populated values via the decorator's kwargs unpacking.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import uuid
|
|
from dataclasses import dataclass, field
|
|
from datetime import datetime
|
|
from typing import TYPE_CHECKING, Literal, Protocol
|
|
|
|
from flask import Request
|
|
|
|
from libs.oauth_bearer import Scope, SubjectType
|
|
|
|
if TYPE_CHECKING:
|
|
from models import App, Tenant
|
|
|
|
|
|
@dataclass
|
|
class Context:
|
|
request: Request
|
|
required_scope: Scope
|
|
subject_type: SubjectType | None = None
|
|
subject_email: str | None = None
|
|
subject_issuer: str | None = None
|
|
account_id: uuid.UUID | None = None
|
|
scopes: frozenset[Scope] = field(default_factory=frozenset)
|
|
token_id: uuid.UUID | None = None
|
|
token_hash: str | None = None
|
|
cached_verified_tenants: dict[str, bool] | None = None
|
|
source: str | None = None
|
|
expires_at: datetime | None = None
|
|
app: App | None = None
|
|
tenant: Tenant | None = None
|
|
caller: object | None = None
|
|
caller_kind: Literal["account", "end_user"] | None = None
|
|
|
|
|
|
class Step(Protocol):
|
|
"""One responsibility. Mutate ctx or raise to short-circuit."""
|
|
|
|
def __call__(self, ctx: Context) -> None: ...
|