third/dify-plus
1
0
Fork 0
mirror of https://github.com/YFGaia/dify-plus.git synced 2026-06-04 10:14:00 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
f814fb39f1f6049c74bfdf567b2641fea0f5bfa7
dify-plus/api/libs/oauth.py
T
npc0-hue 17832f2424 fix: Dify 1.8.1问题修复 
本次提交整合了多个功能改进和问题修复:

主要功能:
- 批量工作流处理功能完善,支持 Excel 上传和进度跟踪
- 管理中心反向代理和转发配置优化
- 用户同步添加互斥锁,防止并发问题
- 计费系统和额度显示优化
- AI 绘图功能扩展

前端改进:
- 文本生成应用显示修复
- 批量任务进度展示优化
- 按钮样式和 CSS 优化,禁止换行
- 多语言支持完善(新增印尼语等)
- 构建镜像逻辑优化
- 批量处理进度管理器实现

后端改进:
- Docker Compose 配置升级
- 队列任务和 Worker Pool 优化
- Admin API 初始化和验证逻辑改进
- 数据库迁移和初始化完善
- 静态变量处理优化
- URL 签名助手实现
- Celery 扩展优化
- 代码和导入包问题修复(idea 自动调整代码位置)

技术改进:
- 兼容性修复 (flask-restx, jschardet)
- 钉钉 Web API 版本更新
- 代码格式化和导入包问题修复
- 日志处理优化
- 工作流循环管理优化

Docker 相关:
- Nginx 配置更新
- 容器启动脚本优化
- 镜像构建流程改进
- docker-compose.dify-plus.yaml 大幅更新

管理后台:
- 工作流批量处理 API 实现
- 工作池初始化
- 批量工作流服务实现
- 转发扩展配置
- 用户服务扩展
2025-10-17 23:04:25 +08:00

354 lines
13 KiB
Python
Raw Blame History

import json
import urllib.parse
from dataclasses import dataclass
from typing import Optional
import requests
from configs import dify_config # Extend OAuto third-party login
from extensions.ext_database import db # Extend OAuto third-party login
from models.system_extend import SystemIntegrationClassify, SystemIntegrationExtend # Extend OAuto third-party login
@dataclass
class OAuthUserInfo:
id: str
name: str
email: str
class OAuth:
def __init__(self, client_id: str, client_secret: str, redirect_uri: str):
self.client_id = client_id
self.client_secret = client_secret
self.redirect_uri = redirect_uri
def get_authorization_url(self):
raise NotImplementedError()
def get_access_token(self, code: str):
raise NotImplementedError()
def get_raw_user_info(self, token: str):
raise NotImplementedError()
def get_user_info(self, token: str) -> OAuthUserInfo:
raw_info = self.get_raw_user_info(token)
return self._transform_user_info(raw_info)
def _transform_user_info(self, raw_info: dict) -> OAuthUserInfo:
raise NotImplementedError()
class GitHubOAuth(OAuth):
_AUTH_URL = "https://github.com/login/oauth/authorize"
_TOKEN_URL = "https://github.com/login/oauth/access_token"
_USER_INFO_URL = "https://api.github.com/user"
_EMAIL_INFO_URL = "https://api.github.com/user/emails"
def get_authorization_url(self, invite_token: Optional[str] = None):
params = {
"client_id": self.client_id,
"redirect_uri": self.redirect_uri,
"scope": "user:email", # Request only basic user information
}
if invite_token:
params["state"] = invite_token
return f"{self._AUTH_URL}?{urllib.parse.urlencode(params)}"
def get_access_token(self, code: str):
data = {
"client_id": self.client_id,
"client_secret": self.client_secret,
"code": code,
"redirect_uri": self.redirect_uri,
}
headers = {"Accept": "application/json"}
response = requests.post(self._TOKEN_URL, data=data, headers=headers)
response_json = response.json()
access_token = response_json.get("access_token")
if not access_token:
raise ValueError(f"Error in GitHub OAuth: {response_json}")
return access_token
def get_raw_user_info(self, token: str):
headers = {"Authorization": f"token {token}"}
response = requests.get(self._USER_INFO_URL, headers=headers)
response.raise_for_status()
user_info = response.json()
email_response = requests.get(self._EMAIL_INFO_URL, headers=headers)
email_info = email_response.json()
primary_email: dict = next((email for email in email_info if email["primary"] == True), {})
return {**user_info, "email": primary_email.get("email", "")}
def _transform_user_info(self, raw_info: dict) -> OAuthUserInfo:
email = raw_info.get("email")
if not email:
email = f"{raw_info['id']}+{raw_info['login']}@users.noreply.github.com"
return OAuthUserInfo(id=str(raw_info["id"]), name=raw_info["name"], email=email)
class GoogleOAuth(OAuth):
_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth"
_TOKEN_URL = "https://oauth2.googleapis.com/token"
_USER_INFO_URL = "https://www.googleapis.com/oauth2/v3/userinfo"
def get_authorization_url(self, invite_token: Optional[str] = None):
params = {
"client_id": self.client_id,
"response_type": "code",
"redirect_uri": self.redirect_uri,
"scope": "openid email",
}
if invite_token:
params["state"] = invite_token
return f"{self._AUTH_URL}?{urllib.parse.urlencode(params)}"
def get_access_token(self, code: str):
data = {
"client_id": self.client_id,
"client_secret": self.client_secret,
"code": code,
"grant_type": "authorization_code",
"redirect_uri": self.redirect_uri,
}
headers = {"Accept": "application/json"}
response = requests.post(self._TOKEN_URL, data=data, headers=headers)
response_json = response.json()
access_token = response_json.get("access_token")
if not access_token:
raise ValueError(f"Error in Google OAuth: {response_json}")
return access_token
def get_raw_user_info(self, token: str):
headers = {"Authorization": f"Bearer {token}"}
response = requests.get(self._USER_INFO_URL, headers=headers)
response.raise_for_status()
return response.json()
def _transform_user_info(self, raw_info: dict) -> OAuthUserInfo:
return OAuthUserInfo(id=str(raw_info["sub"]), name="", email=raw_info["email"])
# Extend Start: OAuth2
class OaOAuth(OAuth):
def _is_absolute_url(self, url: str) -> bool:
return isinstance(url, str) and (url.startswith("http://") or url.startswith("https://"))
def _join_url(self, base: str, path_or_url: str) -> str:
if not path_or_url:
return ""
if self._is_absolute_url(path_or_url):
return path_or_url
return f"{base}{path_or_url}"
def _resolve_endpoints(self, config: dict) -> dict:
"""
Resolve authorize/token/userinfo endpoints from config or OIDC discovery.
"""
if not isinstance(config, dict):
return {}
server_url = config.get('server_url') or ''
authorize_url = config.get('authorize_url') or ''
token_url = config.get('token_url') or ''
userinfo_url = config.get('userinfo_url') or ''
discovery_url = config.get('discovery_url') or ''
# If any endpoint missing and discovery available, fetch
if discovery_url and (not authorize_url or not token_url or not userinfo_url):
try:
discover_full = self._join_url(server_url, discovery_url)
resp = requests.get(discover_full, timeout=10)
if resp.ok:
data = resp.json()
authorize_url = authorize_url or data.get('authorization_endpoint', '')
token_url = token_url or data.get('token_endpoint', '')
userinfo_url = userinfo_url or data.get('userinfo_endpoint', '')
except Exception:
pass
return {
'authorize_url': self._join_url(server_url, authorize_url),
'token_url': self._join_url(server_url, token_url),
'userinfo_url': self._join_url(server_url, userinfo_url),
}
def get_auto2_conf(self):
# oauth start
integration = db.session.query(SystemIntegrationExtend).filter(
SystemIntegrationExtend.classify == SystemIntegrationClassify.SYSTEM_INTEGRATION_OAUTH_TWO).first()
if integration is None or (integration and not integration.status):
return {
"integration": integration,
"config": {},
"passwd": ""
}
return {
"integration": integration,
"passwd": integration.decodeSecret(),
"config": json.loads(integration.config)
}
def extract_data(self, dictionary, path):
"""
从字典中提取指定路径的数据
支持通配符'*'获取列表中所有元素的特定字段
Args:
dictionary (dict): 源字典
path (str): 以点分隔的路径,如 "data.info.name""data.items.*.name"
Returns:
提取的数据
"""
parts = path.split('.')
current = dictionary
for i, part in enumerate(parts):
if part == '*' and isinstance(current, list):
# 处理列表中的每个元素
remainder = '.'.join(parts[i + 1:])
if remainder:
return [self.extract_data(item, remainder) for item in current]
else:
return current
elif isinstance(current, dict) and part in current:
current = current[part]
else:
return None
return current
def get_authorization_url(self, invite_token: Optional[str] = None):
auto2_conf = self.get_auto2_conf()
integration = auto2_conf.get('integration')
if integration is None:
return
# 构建查询参数
config = auto2_conf.get('config')
params = {
'response_type': 'code',
'redirect_uri': dify_config.CONSOLE_API_URL + "/console/api/oauth/authorize/oauth2",
'client_id': integration.app_id,
# 重要:未设置 scope 时,Casdoor /api/userinfo 仅返回 openid 最小字段
# 从配置读取 scope,默认请求更完整的信息
'scope': (config.get('scope') if isinstance(config, dict) and config.get('scope') else 'openid profile email'),
}
if invite_token:
params['state'] = invite_token
query_string = urllib.parse.urlencode(params)
endpoints = self._resolve_endpoints(config)
auth_url = endpoints.get('authorize_url')
return f"{auth_url}?{query_string}"
def get_access_token(self, code: str):
auto2_conf = self.get_auto2_conf()
integration = auto2_conf.get('integration')
if integration is None:
return ""
config = auto2_conf.get('config')
endpoints = self._resolve_endpoints(config)
token_url = endpoints.get('token_url')
token_auth_method = str(config.get('token_auth_method') or '').strip().lower()
use_basic = token_auth_method == 'client_secret_basic'
# 构建请求
data = {
"grant_type": "authorization_code",
"code": code,
"redirect_uri": dify_config.CONSOLE_API_URL + "/console/api/oauth/authorize/oauth2",
}
headers = {"Accept": "application/json"}
if use_basic:
auth = (integration.app_id, auto2_conf.get('passwd'))
else:
data.update({
"client_id": integration.app_id,
"client_secret": auto2_conf.get('passwd'),
})
auth = None
if not code:
return ""
response = requests.post(token_url, data=data, headers=headers, auth=auth)
response.encoding = "utf-8"
if response.status_code != 200:
return ""
try:
response_json = response.json()
except:
return ""
access_token = response_json.get("access_token")
return access_token
def get_raw_user_info(self, token: str):
auto2_conf = self.get_auto2_conf()
if auto2_conf.get('integration') is None:
return ""
config = auto2_conf.get('config')
endpoints = self._resolve_endpoints(config)
headers = {"Authorization": f"Bearer {token}"}
userinfo_url = endpoints.get('userinfo_url')
response = requests.get(userinfo_url, headers=headers)
response.raise_for_status()
return response.json()
def _transform_user_info(self, raw_info: dict) -> OAuthUserInfo:
# 检查 raw_info 是否为空或为 None
auto2_conf = self.get_auto2_conf()
if not raw_info or not isinstance(raw_info, dict) or auto2_conf.get('integration') is None:
return OAuthUserInfo(
id="",
name="",
email="",
)
# 提取参数(更健壮:支持点分路径、扁平键名和标准 OIDC 兜底)
config = auto2_conf.get('config')
name_field = config.get('user_name_field') if isinstance(config, dict) else None
email_field = config.get('user_email_field') if isinstance(config, dict) else None
id_field = config.get('user_id_field') if isinstance(config, dict) else None
# 首选:按配置路径提取
name = self.extract_data(raw_info, name_field) if name_field else None
email = self.extract_data(raw_info, email_field) if email_field else None
username = self.extract_data(raw_info, id_field) if id_field else None
# 如果配置为 data.name 但返回是扁平结构,尝试最后一级键名
if name is None and isinstance(name_field, str) and '.' in name_field:
name = raw_info.get(name_field.split('.')[-1])
if email is None and isinstance(email_field, str) and '.' in email_field:
email = raw_info.get(email_field.split('.')[-1])
if username is None and isinstance(id_field, str) and '.' in id_field:
username = raw_info.get(id_field.split('.')[-1])
# OIDC 常见字段兜底
if username is None:
username = raw_info.get('sub') or raw_info.get('preferred_username') or raw_info.get('id') or raw_info.get('user_id')
if name is None:
name = raw_info.get('name') or raw_info.get('preferred_username')
if email is None:
email = raw_info.get('email')
if not username:
raise ValueError("OAuth2返回用户数据格式不正确。请检查相关配置是否正确。响应信息为:" + str(raw_info))
return OAuthUserInfo(
id=str(username) if username is not None else None,
name=str(name) if name is not None else None,
email=str(email) if email is not None else None,
)
# Extend Stop: OAuth
Reference in New Issue View Git Blame Copy Permalink