greatmengqi
4b139fb689
Add request-scoped contextvar-based owner filtering to threads_meta,
runs, run_events, and feedback repositories. Router code is unchanged
— isolation is enforced at the storage layer so that any caller that
forgets to pass owner_id still gets filtered results, and new routes
cannot accidentally leak data.
Core infrastructure
-------------------
- deerflow/runtime/user_context.py (new):
- ContextVar[CurrentUser | None] with default None
- runtime_checkable CurrentUser Protocol (structural subtype with .id)
- set/reset/get/require helpers
- AUTO sentinel + resolve_owner_id(value, method_name) for sentinel
three-state resolution: AUTO reads contextvar, explicit str
overrides, explicit None bypasses the filter (for migration/CLI)
Repository changes
------------------
- ThreadMetaRepository: create/get/search/update_*/delete gain
owner_id=AUTO kwarg; read paths filter by owner, writes stamp it,
mutations check ownership before applying
- RunRepository: put/get/list_by_thread/delete gain owner_id=AUTO kwarg
- FeedbackRepository: create/get/list_by_run/list_by_thread/delete
gain owner_id=AUTO kwarg
- DbRunEventStore: list_messages/list_events/list_messages_by_run/
count_messages/delete_by_thread/delete_by_run gain owner_id=AUTO
kwarg. Write paths (put/put_batch) read contextvar softly: when a
request-scoped user is available, owner_id is stamped; background
worker writes without a user context pass None which is valid
(orphan row to be bound by migration)
Schema
------
- persistence/models/run_event.py: RunEventRow.owner_id = Mapped[
str | None] = mapped_column(String(64), nullable=True, index=True)
- No alembic migration needed: 2.0 ships fresh, Base.metadata.create_all
picks up the new column automatically
Middleware
----------
- auth_middleware.py: after cookie check, call get_optional_user_from_
request to load the real User, stamp it into request.state.user AND
the contextvar via set_current_user, reset in a try/finally. Public
paths and unauthenticated requests continue without contextvar, and
@require_auth handles the strict 401 path
Test infrastructure
-------------------
- tests/conftest.py: @pytest.fixture(autouse=True) _auto_user_context
sets a default SimpleNamespace(id="test-user-autouse") on every test
unless marked @pytest.mark.no_auto_user. Keeps existing 20+
persistence tests passing without modification
- pyproject.toml [tool.pytest.ini_options]: register no_auto_user
marker so pytest does not emit warnings for opt-out tests
- tests/test_user_context.py: 6 tests covering three-state semantics,
Protocol duck typing, and require/optional APIs
- tests/test_thread_meta_repo.py: one test updated to pass owner_id=
None explicitly where it was previously relying on the old default
Test results
------------
- test_user_context.py: 6 passed
- test_auth*.py + test_langgraph_auth.py + test_ensure_admin.py: 127
- test_run_event_store / test_run_repository / test_thread_meta_repo
/ test_feedback: 92 passed
- Full backend suite: 1905 passed, 2 failed (both @requires_llm flaky
integration tests unrelated to auth), 1 skipped
208 lines
8.4 KiB
Python
208 lines
8.4 KiB
Python
"""SQLAlchemy-backed thread metadata repository."""
|
|
|
|
from __future__ import annotations
|
|
|
|
from datetime import UTC, datetime
|
|
from typing import Any
|
|
|
|
from sqlalchemy import select, update
|
|
from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker
|
|
|
|
from deerflow.persistence.thread_meta.base import ThreadMetaStore
|
|
from deerflow.persistence.thread_meta.model import ThreadMetaRow
|
|
from deerflow.runtime.user_context import AUTO, _AutoSentinel, resolve_owner_id
|
|
|
|
|
|
class ThreadMetaRepository(ThreadMetaStore):
|
|
def __init__(self, session_factory: async_sessionmaker[AsyncSession]) -> None:
|
|
self._sf = session_factory
|
|
|
|
@staticmethod
|
|
def _row_to_dict(row: ThreadMetaRow) -> dict[str, Any]:
|
|
d = row.to_dict()
|
|
d["metadata"] = d.pop("metadata_json", {})
|
|
for key in ("created_at", "updated_at"):
|
|
val = d.get(key)
|
|
if isinstance(val, datetime):
|
|
d[key] = val.isoformat()
|
|
return d
|
|
|
|
async def create(
|
|
self,
|
|
thread_id: str,
|
|
*,
|
|
assistant_id: str | None = None,
|
|
owner_id: "str | None | _AutoSentinel" = AUTO,
|
|
display_name: str | None = None,
|
|
metadata: dict | None = None,
|
|
) -> dict:
|
|
# Auto-resolve owner_id from contextvar when AUTO; explicit None
|
|
# creates an orphan row (used by migration scripts).
|
|
resolved_owner_id = resolve_owner_id(owner_id, method_name="ThreadMetaRepository.create")
|
|
now = datetime.now(UTC)
|
|
row = ThreadMetaRow(
|
|
thread_id=thread_id,
|
|
assistant_id=assistant_id,
|
|
owner_id=resolved_owner_id,
|
|
display_name=display_name,
|
|
metadata_json=metadata or {},
|
|
created_at=now,
|
|
updated_at=now,
|
|
)
|
|
async with self._sf() as session:
|
|
session.add(row)
|
|
await session.commit()
|
|
await session.refresh(row)
|
|
return self._row_to_dict(row)
|
|
|
|
async def get(
|
|
self,
|
|
thread_id: str,
|
|
*,
|
|
owner_id: "str | None | _AutoSentinel" = AUTO,
|
|
) -> dict | None:
|
|
resolved_owner_id = resolve_owner_id(owner_id, method_name="ThreadMetaRepository.get")
|
|
async with self._sf() as session:
|
|
row = await session.get(ThreadMetaRow, thread_id)
|
|
if row is None:
|
|
return None
|
|
# Enforce owner filter unless explicitly bypassed (owner_id=None).
|
|
if resolved_owner_id is not None and row.owner_id != resolved_owner_id:
|
|
return None
|
|
return self._row_to_dict(row)
|
|
|
|
async def list_by_owner(self, owner_id: str, *, limit: int = 100, offset: int = 0) -> list[dict]:
|
|
stmt = select(ThreadMetaRow).where(ThreadMetaRow.owner_id == owner_id).order_by(ThreadMetaRow.updated_at.desc()).limit(limit).offset(offset)
|
|
async with self._sf() as session:
|
|
result = await session.execute(stmt)
|
|
return [self._row_to_dict(r) for r in result.scalars()]
|
|
|
|
async def check_access(self, thread_id: str, owner_id: str) -> bool:
|
|
"""Check if owner_id has access to thread_id.
|
|
|
|
Returns True if: row doesn't exist (untracked thread), owner_id
|
|
is None on the row (shared thread), or owner_id matches.
|
|
"""
|
|
async with self._sf() as session:
|
|
row = await session.get(ThreadMetaRow, thread_id)
|
|
if row is None:
|
|
return True
|
|
if row.owner_id is None:
|
|
return True
|
|
return row.owner_id == owner_id
|
|
|
|
async def search(
|
|
self,
|
|
*,
|
|
metadata: dict | None = None,
|
|
status: str | None = None,
|
|
limit: int = 100,
|
|
offset: int = 0,
|
|
owner_id: "str | None | _AutoSentinel" = AUTO,
|
|
) -> list[dict]:
|
|
"""Search threads with optional metadata and status filters.
|
|
|
|
Owner filter is enforced by default: caller must be in a user
|
|
context. Pass ``owner_id=None`` to bypass (migration/CLI).
|
|
"""
|
|
resolved_owner_id = resolve_owner_id(owner_id, method_name="ThreadMetaRepository.search")
|
|
stmt = select(ThreadMetaRow).order_by(ThreadMetaRow.updated_at.desc())
|
|
if resolved_owner_id is not None:
|
|
stmt = stmt.where(ThreadMetaRow.owner_id == resolved_owner_id)
|
|
if status:
|
|
stmt = stmt.where(ThreadMetaRow.status == status)
|
|
|
|
if metadata:
|
|
# When metadata filter is active, fetch a larger window and filter
|
|
# in Python. TODO(Phase 2): use JSON DB operators (Postgres @>,
|
|
# SQLite json_extract) for server-side filtering.
|
|
stmt = stmt.limit(limit * 5 + offset)
|
|
async with self._sf() as session:
|
|
result = await session.execute(stmt)
|
|
rows = [self._row_to_dict(r) for r in result.scalars()]
|
|
rows = [r for r in rows if all(r.get("metadata", {}).get(k) == v for k, v in metadata.items())]
|
|
return rows[offset : offset + limit]
|
|
else:
|
|
stmt = stmt.limit(limit).offset(offset)
|
|
async with self._sf() as session:
|
|
result = await session.execute(stmt)
|
|
return [self._row_to_dict(r) for r in result.scalars()]
|
|
|
|
async def _check_ownership(self, session: AsyncSession, thread_id: str, resolved_owner_id: str | None) -> bool:
|
|
"""Return True if the row exists and is owned (or filter bypassed)."""
|
|
if resolved_owner_id is None:
|
|
return True # explicit bypass
|
|
row = await session.get(ThreadMetaRow, thread_id)
|
|
return row is not None and row.owner_id == resolved_owner_id
|
|
|
|
async def update_display_name(
|
|
self,
|
|
thread_id: str,
|
|
display_name: str,
|
|
*,
|
|
owner_id: "str | None | _AutoSentinel" = AUTO,
|
|
) -> None:
|
|
"""Update the display_name (title) for a thread."""
|
|
resolved_owner_id = resolve_owner_id(owner_id, method_name="ThreadMetaRepository.update_display_name")
|
|
async with self._sf() as session:
|
|
if not await self._check_ownership(session, thread_id, resolved_owner_id):
|
|
return
|
|
await session.execute(update(ThreadMetaRow).where(ThreadMetaRow.thread_id == thread_id).values(display_name=display_name, updated_at=datetime.now(UTC)))
|
|
await session.commit()
|
|
|
|
async def update_status(
|
|
self,
|
|
thread_id: str,
|
|
status: str,
|
|
*,
|
|
owner_id: "str | None | _AutoSentinel" = AUTO,
|
|
) -> None:
|
|
resolved_owner_id = resolve_owner_id(owner_id, method_name="ThreadMetaRepository.update_status")
|
|
async with self._sf() as session:
|
|
if not await self._check_ownership(session, thread_id, resolved_owner_id):
|
|
return
|
|
await session.execute(update(ThreadMetaRow).where(ThreadMetaRow.thread_id == thread_id).values(status=status, updated_at=datetime.now(UTC)))
|
|
await session.commit()
|
|
|
|
async def update_metadata(
|
|
self,
|
|
thread_id: str,
|
|
metadata: dict,
|
|
*,
|
|
owner_id: "str | None | _AutoSentinel" = AUTO,
|
|
) -> None:
|
|
"""Merge ``metadata`` into ``metadata_json``.
|
|
|
|
Read-modify-write inside a single session/transaction so concurrent
|
|
callers see consistent state. No-op if the row does not exist or
|
|
the owner_id check fails.
|
|
"""
|
|
resolved_owner_id = resolve_owner_id(owner_id, method_name="ThreadMetaRepository.update_metadata")
|
|
async with self._sf() as session:
|
|
row = await session.get(ThreadMetaRow, thread_id)
|
|
if row is None:
|
|
return
|
|
if resolved_owner_id is not None and row.owner_id != resolved_owner_id:
|
|
return
|
|
merged = dict(row.metadata_json or {})
|
|
merged.update(metadata)
|
|
row.metadata_json = merged
|
|
row.updated_at = datetime.now(UTC)
|
|
await session.commit()
|
|
|
|
async def delete(
|
|
self,
|
|
thread_id: str,
|
|
*,
|
|
owner_id: "str | None | _AutoSentinel" = AUTO,
|
|
) -> None:
|
|
resolved_owner_id = resolve_owner_id(owner_id, method_name="ThreadMetaRepository.delete")
|
|
async with self._sf() as session:
|
|
row = await session.get(ThreadMetaRow, thread_id)
|
|
if row is None:
|
|
return
|
|
if resolved_owner_id is not None and row.owner_id != resolved_owner_id:
|
|
return
|
|
await session.delete(row)
|
|
await session.commit()
|