mirror of
https://github.com/bytedance/deer-flow.git
synced 2026-05-07 01:08:25 +00:00
27b66d6753
Introduce an always-on auth layer with auto-created admin on first boot, multi-tenant isolation for threads/stores, and a full setup/login flow. Backend - JWT access tokens with `ver` field for stale-token rejection; bump on password/email change - Password hashing, HttpOnly+Secure cookies (Secure derived from request scheme at runtime) - CSRF middleware covering both REST and LangGraph routes - IP-based login rate limiting (5 attempts / 5-min lockout) with bounded dict growth and X-Forwarded-For bypass fix - Multi-worker-safe admin auto-creation (single DB write, WAL once) - needs_setup + token_version on User model; SQLite schema migration - Thread/store isolation by owner; orphan thread migration on first admin registration - thread_id validated as UUID to prevent log injection - CLI tool to reset admin password - Decorator-based authz module extracted from auth core Frontend - Login and setup pages with SSR guard for needs_setup flow - Account settings page (change password / email) - AuthProvider + route guards; skips redirect when no users registered - i18n (en-US / zh-CN) for auth surfaces - Typed auth API client; parseAuthError unwraps FastAPI detail envelope Infra & tooling - Unified `serve.sh` with gateway mode + auto dep install - Public PyPI uv.toml pin for CI compatibility - Regenerated uv.lock with public index Tests - HTTP vs HTTPS cookie security tests - Auth middleware, rate limiter, CSRF, setup flow coverage
87 lines
2.4 KiB
JavaScript
87 lines
2.4 KiB
JavaScript
/**
|
|
* Run `build` or `dev` with `SKIP_ENV_VALIDATION` to skip env validation. This is especially useful
|
|
* for Docker builds.
|
|
*/
|
|
import "./src/env.js";
|
|
|
|
function getInternalServiceURL(envKey, fallbackURL) {
|
|
const configured = process.env[envKey]?.trim();
|
|
return configured && configured.length > 0
|
|
? configured.replace(/\/+$/, "")
|
|
: fallbackURL;
|
|
}
|
|
import nextra from "nextra";
|
|
|
|
const withNextra = nextra({});
|
|
|
|
/** @type {import("next").NextConfig} */
|
|
const config = {
|
|
i18n: {
|
|
locales: ["en", "zh"],
|
|
defaultLocale: "en",
|
|
},
|
|
devIndicators: false,
|
|
allowedDevOrigins: process.env.NEXT_DEV_ALLOWED_ORIGINS
|
|
? process.env.NEXT_DEV_ALLOWED_ORIGINS.split(",")
|
|
.map((s) => s.trim())
|
|
.filter(Boolean)
|
|
: [],
|
|
async rewrites() {
|
|
const beforeFiles = [];
|
|
const langgraphURL = getInternalServiceURL(
|
|
"DEER_FLOW_INTERNAL_LANGGRAPH_BASE_URL",
|
|
"http://127.0.0.1:2024",
|
|
);
|
|
const gatewayURL = getInternalServiceURL(
|
|
"DEER_FLOW_INTERNAL_GATEWAY_BASE_URL",
|
|
"http://127.0.0.1:8001",
|
|
);
|
|
|
|
if (!process.env.NEXT_PUBLIC_LANGGRAPH_BASE_URL) {
|
|
beforeFiles.push({
|
|
source: "/api/langgraph",
|
|
destination: langgraphURL,
|
|
});
|
|
beforeFiles.push({
|
|
source: "/api/langgraph/:path*",
|
|
destination: `${langgraphURL}/:path*`,
|
|
});
|
|
}
|
|
|
|
// Auth endpoints: explicit v1/auth prefix only (deny-by-default)
|
|
beforeFiles.push({
|
|
source: "/api/v1/auth/:path*",
|
|
destination: `${gatewayURL}/api/v1/auth/:path*`,
|
|
});
|
|
|
|
// LangGraph-compat: handled by route handler at /api/langgraph-compat/[...path]
|
|
// with allowlist, header sanitization, and timeout — no rewrite needed.
|
|
|
|
if (!process.env.NEXT_PUBLIC_BACKEND_BASE_URL) {
|
|
// Explicit gateway API prefixes (deny-by-default, no catch-all)
|
|
const GATEWAY_PREFIXES = [
|
|
"agents",
|
|
"models",
|
|
"threads",
|
|
"memory",
|
|
"skills",
|
|
"mcp",
|
|
];
|
|
for (const prefix of GATEWAY_PREFIXES) {
|
|
beforeFiles.push({
|
|
source: `/api/${prefix}`,
|
|
destination: `${gatewayURL}/api/${prefix}`,
|
|
});
|
|
beforeFiles.push({
|
|
source: `/api/${prefix}/:path*`,
|
|
destination: `${gatewayURL}/api/${prefix}/:path*`,
|
|
});
|
|
}
|
|
}
|
|
|
|
return { beforeFiles, afterFiles: [], fallback: [] };
|
|
},
|
|
};
|
|
|
|
export default withNextra(config);
|