furyhawk/deer-flow
1
0
Fork 0
mirror of https://github.com/bytedance/deer-flow.git synced 2026-05-21 23:46:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(auth): authentication module with multi-tenant isolation (RFC-001)

Browse Source 
Introduce an always-on auth layer with auto-created admin on first boot,
multi-tenant isolation for threads/stores, and a full setup/login flow.

Backend
- JWT access tokens with `ver` field for stale-token rejection; bump on
  password/email change
- Password hashing, HttpOnly+Secure cookies (Secure derived from request
  scheme at runtime)
- CSRF middleware covering both REST and LangGraph routes
- IP-based login rate limiting (5 attempts / 5-min lockout) with bounded
  dict growth and X-Forwarded-For bypass fix
- Multi-worker-safe admin auto-creation (single DB write, WAL once)
- needs_setup + token_version on User model; SQLite schema migration
- Thread/store isolation by owner; orphan thread migration on first admin
  registration
- thread_id validated as UUID to prevent log injection
- CLI tool to reset admin password
- Decorator-based authz module extracted from auth core

Frontend
- Login and setup pages with SSR guard for needs_setup flow
- Account settings page (change password / email)
- AuthProvider + route guards; skips redirect when no users registered
- i18n (en-US / zh-CN) for auth surfaces
- Typed auth API client; parseAuthError unwraps FastAPI detail envelope

Infra & tooling
- Unified `serve.sh` with gateway mode + auto dep install
- Public PyPI uv.toml pin for CI compatibility
- Regenerated uv.lock with public index

Tests
- HTTP vs HTTPS cookie security tests
- Auth middleware, rate limiter, CSRF, setup flow coverage
This commit is contained in:
greatmengqi
2026-04-08 00:31:43 +08:00
parent 636053fb6d
commit 27b66d6753
214 changed files with 18830 additions and 1065 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/start-daemon.sh
+4 -135
View File
@@ -1,140 +1,9 @@
#!/usr/bin/env bash
#
# start-daemon.sh - Start all DeerFlow development services in daemon mode
# start-daemon.sh Start DeerFlow in daemon (background) mode
#
# This script starts DeerFlow services in the background without keeping
# the terminal connection. Logs are written to separate files.
#
# Must be run from the repo root directory.
set -e
# Thin wrapper around serve.sh --daemon.
# Kept for backward compatibility.
REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "$REPO_ROOT"
# ── Stop existing services ────────────────────────────────────────────────────
echo "Stopping existing services if any..."
pkill -f "langgraph dev" 2>/dev/null || true
pkill -f "uvicorn app.gateway.app:app" 2>/dev/null || true
pkill -f "next dev" 2>/dev/null || true
nginx -c "$REPO_ROOT/docker/nginx/nginx.local.conf" -p "$REPO_ROOT" -s quit 2>/dev/null || true
sleep 1
pkill -9 nginx 2>/dev/null || true
./scripts/cleanup-containers.sh deer-flow-sandbox 2>/dev/null || true
sleep 1
# ── Banner ────────────────────────────────────────────────────────────────────
echo ""
echo "=========================================="
echo " Starting DeerFlow in Daemon Mode"
echo "=========================================="
echo ""
# ── Config check ─────────────────────────────────────────────────────────────
if ! { \
[ -n "$DEER_FLOW_CONFIG_PATH" ] && [ -f "$DEER_FLOW_CONFIG_PATH" ] || \
[ -f backend/config.yaml ] || \
[ -f config.yaml ]; \
}; then
echo "✗ No DeerFlow config file found."
echo " Checked these locations:"
echo " - $DEER_FLOW_CONFIG_PATH (when DEER_FLOW_CONFIG_PATH is set)"
echo " - backend/config.yaml"
echo " - ./config.yaml"
echo ""
echo " Run 'make config' from the repo root to generate ./config.yaml, then set required model API keys in .env or your config file."
exit 1
fi
# ── Auto-upgrade config ──────────────────────────────────────────────────
"$REPO_ROOT/scripts/config-upgrade.sh"
# ── Cleanup on failure ───────────────────────────────────────────────────────
cleanup_on_failure() {
echo "Failed to start services, cleaning up..."
pkill -f "langgraph dev" 2>/dev/null || true
pkill -f "uvicorn app.gateway.app:app" 2>/dev/null || true
pkill -f "next dev" 2>/dev/null || true
nginx -c "$REPO_ROOT/docker/nginx/nginx.local.conf" -p "$REPO_ROOT" -s quit 2>/dev/null || true
sleep 1
pkill -9 nginx 2>/dev/null || true
echo "✓ Cleanup complete"
}
trap cleanup_on_failure INT TERM
# ── Start services ────────────────────────────────────────────────────────────
mkdir -p logs
mkdir -p temp/client_body_temp temp/proxy_temp temp/fastcgi_temp temp/uwsgi_temp temp/scgi_temp
echo "Starting LangGraph server..."
nohup sh -c 'cd backend && NO_COLOR=1 uv run langgraph dev --no-browser --allow-blocking --no-reload > ../logs/langgraph.log 2>&1' &
./scripts/wait-for-port.sh 2024 60 "LangGraph" || {
echo "✗ LangGraph failed to start. Last log output:"
tail -60 logs/langgraph.log
if grep -qE "config_version|outdated|Environment variable .* not found|KeyError|ValidationError|config\.yaml" logs/langgraph.log 2>/dev/null; then
echo ""
echo " Hint: This may be a configuration issue. Try running 'make config-upgrade' to update your config.yaml."
fi
cleanup_on_failure
exit 1
}
echo "✓ LangGraph server started on localhost:2024"
echo "Starting Gateway API..."
nohup sh -c 'cd backend && PYTHONPATH=. uv run uvicorn app.gateway.app:app --host 0.0.0.0 --port 8001 > ../logs/gateway.log 2>&1' &
./scripts/wait-for-port.sh 8001 30 "Gateway API" || {
echo "✗ Gateway API failed to start. Last log output:"
tail -60 logs/gateway.log
echo ""
echo " Hint: Try running 'make config-upgrade' to update your config.yaml with the latest fields."
cleanup_on_failure
exit 1
}
echo "✓ Gateway API started on localhost:8001"
echo "Starting Frontend..."
nohup sh -c 'cd frontend && pnpm run dev > ../logs/frontend.log 2>&1' &
./scripts/wait-for-port.sh 3000 120 "Frontend" || {
echo "✗ Frontend failed to start. Last log output:"
tail -60 logs/frontend.log
cleanup_on_failure
exit 1
}
echo "✓ Frontend started on localhost:3000"
echo "Starting Nginx reverse proxy..."
nohup sh -c 'nginx -g "daemon off;" -c "$1/docker/nginx/nginx.local.conf" -p "$1" > logs/nginx.log 2>&1' _ "$REPO_ROOT" &
./scripts/wait-for-port.sh 2026 10 "Nginx" || {
echo "✗ Nginx failed to start. Last log output:"
tail -60 logs/nginx.log
cleanup_on_failure
exit 1
}
echo "✓ Nginx started on localhost:2026"
# ── Ready ─────────────────────────────────────────────────────────────────────
echo ""
echo "=========================================="
echo " DeerFlow is running in daemon mode!"
echo "=========================================="
echo ""
echo " 🌐 Application: http://localhost:2026"
echo " 📡 API Gateway: http://localhost:2026/api/*"
echo " 🤖 LangGraph: http://localhost:2026/api/langgraph/*"
echo ""
echo " 📋 Logs:"
echo " - LangGraph: logs/langgraph.log"
echo " - Gateway: logs/gateway.log"
echo " - Frontend: logs/frontend.log"
echo " - Nginx: logs/nginx.log"
echo ""
echo " 🛑 Stop daemon: make stop"
echo ""
exec "$REPO_ROOT/scripts/serve.sh" --dev --daemon "$@"