furyhawk/deer-flow
1
0
Fork 0
mirror of https://github.com/bytedance/deer-flow.git synced 2026-05-22 07:56:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(auth): authentication module with multi-tenant isolation (RFC-001)

Browse Source 
Introduce an always-on auth layer with auto-created admin on first boot,
multi-tenant isolation for threads/stores, and a full setup/login flow.

Backend
- JWT access tokens with `ver` field for stale-token rejection; bump on
  password/email change
- Password hashing, HttpOnly+Secure cookies (Secure derived from request
  scheme at runtime)
- CSRF middleware covering both REST and LangGraph routes
- IP-based login rate limiting (5 attempts / 5-min lockout) with bounded
  dict growth and X-Forwarded-For bypass fix
- Multi-worker-safe admin auto-creation (single DB write, WAL once)
- needs_setup + token_version on User model; SQLite schema migration
- Thread/store isolation by owner; orphan thread migration on first admin
  registration
- thread_id validated as UUID to prevent log injection
- CLI tool to reset admin password
- Decorator-based authz module extracted from auth core

Frontend
- Login and setup pages with SSR guard for needs_setup flow
- Account settings page (change password / email)
- AuthProvider + route guards; skips redirect when no users registered
- i18n (en-US / zh-CN) for auth surfaces
- Typed auth API client; parseAuthError unwraps FastAPI detail envelope

Infra & tooling
- Unified `serve.sh` with gateway mode + auto dep install
- Public PyPI uv.toml pin for CI compatibility
- Regenerated uv.lock with public index

Tests
- HTTP vs HTTPS cookie security tests
- Auth middleware, rate limiter, CSRF, setup flow coverage
This commit is contained in:
greatmengqi
2026-04-08 00:31:43 +08:00
parent 636053fb6d
commit 27b66d6753
214 changed files with 18830 additions and 1065 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docker/nginx/nginx.conf
+21 -38
View File
@@ -18,21 +18,20 @@ http {
resolver 127.0.0.11 valid=10s ipv6=off;
# Upstream servers (using Docker service names)
# NOTE: add `resolve` so nginx re-resolves container IPs after restarts.
# Otherwise nginx may keep stale DNS results and proxy to the wrong container.
# NOTE: `zone` and `resolve` are nginx Plus-only features and are not
# available in the standard nginx:alpine image. Docker's internal DNS
# (127.0.0.11) handles service discovery; upstreams are resolved at
# nginx startup and remain valid for the lifetime of the deployment.
upstream gateway {
zone gateway 64k;
server gateway:8001 resolve;
server gateway:8001;
}
upstream langgraph {
zone langgraph 64k;
server langgraph:2024 resolve;
server ${LANGGRAPH_UPSTREAM};
}
upstream frontend {
zone frontend 64k;
server frontend:3000 resolve;
server frontend:3000;
}
# ── Main server (path-based routing) ─────────────────────────────────
@@ -58,9 +57,11 @@ http {
}
# LangGraph API routes
# Rewrites /api/langgraph/* to /* before proxying
# In standard mode: /api/langgraph/* → langgraph:2024 (rewrite to /*)
# In gateway mode: /api/langgraph/* → gateway:8001 (rewrite to /api/*)
# Controlled by LANGGRAPH_UPSTREAM and LANGGRAPH_REWRITE env vars.
location /api/langgraph/ {
rewrite ^/api/langgraph/(.*) /$1 break;
rewrite ^/api/langgraph/(.*) ${LANGGRAPH_REWRITE}$1 break;
proxy_pass http://langgraph;
proxy_http_version 1.1;
@@ -85,34 +86,6 @@ http {
chunked_transfer_encoding on;
}
# Experimental: Gateway-backed LangGraph-compatible API
# Frontend can opt-in via NEXT_PUBLIC_LANGGRAPH_BASE_URL=/api/langgraph-compat
location /api/langgraph-compat/ {
rewrite ^/api/langgraph-compat/(.*) /api/$1 break;
proxy_pass http://gateway;
proxy_http_version 1.1;
# Headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection '';
# SSE/Streaming support
proxy_buffering off;
proxy_cache off;
proxy_set_header X-Accel-Buffering no;
# Timeouts for long-running requests
proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;
# Chunked transfer encoding
chunked_transfer_encoding on;
}
# Custom API: Models endpoint
location /api/models {
proxy_pass http://gateway;
@@ -217,6 +190,16 @@ http {
proxy_set_header X-Forwarded-Proto $scheme;
}
# Auth API (gateway)
location /api/v1/auth/ {
proxy_pass http://gateway;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Health check endpoint (gateway)
location /health {
proxy_pass http://gateway;
docker/nginx/nginx.local.conf
+14 -4
View File
@@ -144,6 +144,16 @@ http {
proxy_set_header X-Forwarded-Proto $scheme;
}
# Auth API routes (served by gateway)
location /api/v1/auth/ {
proxy_pass http://gateway;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Custom API: Agents endpoint
location /api/agents {
proxy_pass http://gateway;
@@ -179,8 +189,8 @@ http {
}
# API Documentation: Swagger UI
location /docs {
proxy_pass http://gateway;
location /api/docs {
proxy_pass http://gateway/docs ;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@@ -189,8 +199,8 @@ http {
}
# API Documentation: ReDoc
location /redoc {
proxy_pass http://gateway;
location /api/redoc {
proxy_pass http://gateway/redoc;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;