greatmengqi
27b66d6753
Introduce an always-on auth layer with auto-created admin on first boot, multi-tenant isolation for threads/stores, and a full setup/login flow. Backend - JWT access tokens with `ver` field for stale-token rejection; bump on password/email change - Password hashing, HttpOnly+Secure cookies (Secure derived from request scheme at runtime) - CSRF middleware covering both REST and LangGraph routes - IP-based login rate limiting (5 attempts / 5-min lockout) with bounded dict growth and X-Forwarded-For bypass fix - Multi-worker-safe admin auto-creation (single DB write, WAL once) - needs_setup + token_version on User model; SQLite schema migration - Thread/store isolation by owner; orphan thread migration on first admin registration - thread_id validated as UUID to prevent log injection - CLI tool to reset admin password - Decorator-based authz module extracted from auth core Frontend - Login and setup pages with SSR guard for needs_setup flow - Account settings page (change password / email) - AuthProvider + route guards; skips redirect when no users registered - i18n (en-US / zh-CN) for auth surfaces - Typed auth API client; parseAuthError unwraps FastAPI detail envelope Infra & tooling - Unified `serve.sh` with gateway mode + auto dep install - Public PyPI uv.toml pin for CI compatibility - Regenerated uv.lock with public index Tests - HTTP vs HTTPS cookie security tests - Auth middleware, rate limiter, CSRF, setup flow coverage
56 lines
1.7 KiB
Python
56 lines
1.7 KiB
Python
"""Authentication configuration for DeerFlow."""
|
|
|
|
import logging
|
|
import os
|
|
import secrets
|
|
|
|
from dotenv import load_dotenv
|
|
from pydantic import BaseModel, Field
|
|
|
|
load_dotenv()
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
class AuthConfig(BaseModel):
|
|
"""JWT and auth-related configuration. Parsed once at startup."""
|
|
|
|
jwt_secret: str = Field(
|
|
...,
|
|
description="Secret key for JWT signing. MUST be set via AUTH_JWT_SECRET.",
|
|
)
|
|
token_expiry_days: int = Field(default=7, ge=1, le=30)
|
|
users_db_path: str | None = Field(
|
|
default=None,
|
|
description="Path to users SQLite DB. Defaults to .deer-flow/users.db",
|
|
)
|
|
oauth_github_client_id: str | None = Field(default=None)
|
|
oauth_github_client_secret: str | None = Field(default=None)
|
|
|
|
|
|
_auth_config: AuthConfig | None = None
|
|
|
|
|
|
def get_auth_config() -> AuthConfig:
|
|
"""Get the global AuthConfig instance. Parses from env on first call."""
|
|
global _auth_config
|
|
if _auth_config is None:
|
|
jwt_secret = os.environ.get("AUTH_JWT_SECRET")
|
|
if not jwt_secret:
|
|
jwt_secret = secrets.token_urlsafe(32)
|
|
os.environ["AUTH_JWT_SECRET"] = jwt_secret
|
|
logger.warning(
|
|
"⚠ AUTH_JWT_SECRET is not set — using an auto-generated ephemeral secret. "
|
|
"Sessions will be invalidated on restart. "
|
|
"For production, add AUTH_JWT_SECRET to your .env file: "
|
|
'python -c "import secrets; print(secrets.token_urlsafe(32))"'
|
|
)
|
|
_auth_config = AuthConfig(jwt_secret=jwt_secret)
|
|
return _auth_config
|
|
|
|
|
|
def set_auth_config(config: AuthConfig) -> None:
|
|
"""Set the global AuthConfig instance (for testing)."""
|
|
global _auth_config
|
|
_auth_config = config
|