feat(auth): authentication module with multi-tenant isolation (RFC-001)

Introduce an always-on auth layer with auto-created admin on first boot, multi-tenant isolation for threads/stores, and a full setup/login flow. Backend - JWT access tokens with `ver` field for stale-token rejection; bump on password/email change - Password hashing, HttpOnly+Secure cookies (Secure derived from request scheme at runtime) - CSRF middleware covering both REST and LangGraph routes - IP-based login rate limiting (5 attempts / 5-min lockout) with bounded dict growth and X-Forwarded-For bypass fix - Multi-worker-safe admin auto-creation (single DB write, WAL once) - needs_setup + token_version on User model; SQLite schema migration - Thread/store isolation by owner; orphan thread migration on first admin registration - thread_id validated as UUID to prevent log injection - CLI tool to reset admin password - Decorator-based authz module extracted from auth core Frontend - Login and setup pages with SSR guard for needs_setup flow - Account settings page (change password / email) - AuthProvider + route guards; skips redirect when no users registered - i18n (en-US / zh-CN) for auth surfaces - Typed auth API client; parseAuthError unwraps FastAPI detail envelope Infra & tooling - Unified `serve.sh` with gateway mode + auto dep install - Public PyPI uv.toml pin for CI compatibility - Regenerated uv.lock with public index Tests - HTTP vs HTTPS cookie security tests - Auth middleware, rate limiter, CSRF, setup flow coverage
2026-05-20 23:21:06 +00:00 · 2026-04-08 00:31:43 +08:00
parent 636053fb6d
commit 27b66d6753
214 changed files with 18830 additions and 1065 deletions
@@ -148,9 +148,18 @@ init() {
 }

 # Start Docker development environment
+# Usage: start [--gateway]
 start() {
    local sandbox_mode
    local services
+    local gateway_mode=false
+
+    # Check for --gateway flag
+    for arg in "$@"; do
+        if [ "$arg" = "--gateway" ]; then
+            gateway_mode=true
+        fi
+    done

    echo "=========================================="
    echo "  Starting DeerFlow Docker Development"
@@ -159,12 +168,21 @@ start() {

    sandbox_mode="$(detect_sandbox_mode)"

-    if [ "$sandbox_mode" = "provisioner" ]; then
-        services="frontend gateway langgraph provisioner nginx"
+    if $gateway_mode; then
+        services="frontend gateway nginx"
+        if [ "$sandbox_mode" = "provisioner" ]; then
+            services="frontend gateway provisioner nginx"
+        fi
    else
        services="frontend gateway langgraph nginx"
+        if [ "$sandbox_mode" = "provisioner" ]; then
+            services="frontend gateway langgraph provisioner nginx"
+        fi
    fi

+    if $gateway_mode; then
+        echo -e "${BLUE}Runtime: Gateway mode (experimental) — no LangGraph container${NC}"
+    fi
    echo -e "${BLUE}Detected sandbox mode: $sandbox_mode${NC}"
    if [ "$sandbox_mode" = "provisioner" ]; then
        echo -e "${BLUE}Provisioner enabled (Kubernetes mode).${NC}"
@@ -213,6 +231,12 @@ start() {
        fi
    fi

+    # Set nginx routing for gateway mode (envsubst in nginx container)
+    if $gateway_mode; then
+        export LANGGRAPH_UPSTREAM=gateway:8001
+        export LANGGRAPH_REWRITE=/api/
+    fi
+
    echo "Building and starting containers..."
    cd "$DOCKER_DIR" && $COMPOSE_CMD up --build -d --remove-orphans $services
    echo ""
@@ -222,7 +246,12 @@ start() {
    echo ""
    echo "  🌐 Application: http://localhost:2026"
    echo "  📡 API Gateway: http://localhost:2026/api/*"
-    echo "  🤖 LangGraph:   http://localhost:2026/api/langgraph/*"
+    if $gateway_mode; then
+        echo "  🤖 Runtime:     Gateway embedded"
+        echo "  API:            /api/langgraph/* → Gateway (compat)"
+    else
+        echo "  🤖 LangGraph:   http://localhost:2026/api/langgraph/*"
+    fi
    echo ""
    echo "  📋 View logs: make docker-logs"
    echo "  🛑 Stop:      make docker-stop"
@@ -300,9 +329,10 @@ help() {
    echo "Usage: $0 <command> [options]"
    echo ""
    echo "Commands:"
-    echo "  init          - Pull the sandbox image (speeds up first Pod startup)"
-    echo "  start         - Start Docker services (auto-detects sandbox mode from config.yaml)"
-    echo "  restart       - Restart all running Docker services"
+    echo "  init              - Pull the sandbox image (speeds up first Pod startup)"
+    echo "  start             - Start Docker services (auto-detects sandbox mode from config.yaml)"
+    echo "  start --gateway   - Start without LangGraph container (Gateway mode, experimental)"
+    echo "  restart           - Restart all running Docker services"
    echo "  logs [option] - View Docker development logs"
    echo "                  --frontend   View frontend logs only"
    echo "                  --gateway    View gateway logs only"
@@ -320,7 +350,8 @@ main() {
            init
            ;;
        start)
-            start
+            shift
+            start "$@"
            ;;
        restart)
            restart