mirror of
https://github.com/bytedance/deer-flow.git
synced 2026-05-14 12:43:45 +00:00
27b66d6753
Introduce an always-on auth layer with auto-created admin on first boot, multi-tenant isolation for threads/stores, and a full setup/login flow. Backend - JWT access tokens with `ver` field for stale-token rejection; bump on password/email change - Password hashing, HttpOnly+Secure cookies (Secure derived from request scheme at runtime) - CSRF middleware covering both REST and LangGraph routes - IP-based login rate limiting (5 attempts / 5-min lockout) with bounded dict growth and X-Forwarded-For bypass fix - Multi-worker-safe admin auto-creation (single DB write, WAL once) - needs_setup + token_version on User model; SQLite schema migration - Thread/store isolation by owner; orphan thread migration on first admin registration - thread_id validated as UUID to prevent log injection - CLI tool to reset admin password - Decorator-based authz module extracted from auth core Frontend - Login and setup pages with SSR guard for needs_setup flow - Account settings page (change password / email) - AuthProvider + route guards; skips redirect when no users registered - i18n (en-US / zh-CN) for auth surfaces - Typed auth API client; parseAuthError unwraps FastAPI detail envelope Infra & tooling - Unified `serve.sh` with gateway mode + auto dep install - Public PyPI uv.toml pin for CI compatibility - Regenerated uv.lock with public index Tests - HTTP vs HTTPS cookie security tests - Auth middleware, rate limiter, CSRF, setup flow coverage
42 lines
1.4 KiB
Python
42 lines
1.4 KiB
Python
"""User Pydantic models for authentication."""
|
|
|
|
from datetime import UTC, datetime
|
|
from typing import Literal
|
|
from uuid import UUID, uuid4
|
|
|
|
from pydantic import BaseModel, ConfigDict, EmailStr, Field
|
|
|
|
|
|
def _utc_now() -> datetime:
|
|
"""Return current UTC time (timezone-aware)."""
|
|
return datetime.now(UTC)
|
|
|
|
|
|
class User(BaseModel):
|
|
"""Internal user representation."""
|
|
|
|
model_config = ConfigDict(from_attributes=True)
|
|
|
|
id: UUID = Field(default_factory=uuid4, description="Primary key")
|
|
email: EmailStr = Field(..., description="Unique email address")
|
|
password_hash: str | None = Field(None, description="bcrypt hash, nullable for OAuth users")
|
|
system_role: Literal["admin", "user"] = Field(default="user")
|
|
created_at: datetime = Field(default_factory=_utc_now)
|
|
|
|
# OAuth linkage (optional)
|
|
oauth_provider: str | None = Field(None, description="e.g. 'github', 'google'")
|
|
oauth_id: str | None = Field(None, description="User ID from OAuth provider")
|
|
|
|
# Auth lifecycle
|
|
needs_setup: bool = Field(default=False, description="True for auto-created admin until setup completes")
|
|
token_version: int = Field(default=0, description="Incremented on password change to invalidate old JWTs")
|
|
|
|
|
|
class UserResponse(BaseModel):
|
|
"""Response model for user info endpoint."""
|
|
|
|
id: str
|
|
email: str
|
|
system_role: Literal["admin", "user"]
|
|
needs_setup: bool = False
|