furyhawk/deer-flow
1
0
Fork 0
mirror of https://github.com/bytedance/deer-flow.git synced 2026-06-10 17:35:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ba9cc5e97269d7a42dd501a4d69fd8e031afcbfd
deer-flow/backend/app/gateway
T
History
Xinmin Zeng ba9cc5e972 fix(gateway): enforce thread ownership on stateless run endpoints (#3473) 
POST /api/runs/stream and /api/runs/wait accept thread_id in the request
body but performed no owner authorization, letting any authenticated user
start runs on -- and read /wait checkpoint channel_values from -- another
user's thread (cross-user IDOR, #3472).

The @require_permission(owner_check=True) decorator resolves ownership from
the thread_id *path* param, so it cannot cover these body-param endpoints.
Enforce ownership inside start_run() before create_or_reject via
ThreadMetaStore.check_access: missing rows (auto-created temp threads) and
NULL-owner rows stay accessible, while a thread owned by another user
returns 404 (matching thread_runs.py). The internal system role (IM
channels acting for platform users) is exempt.

Closes #3472
2026-06-10 23:03:39 +08:00
..
auth
fix(auth): persist auto-generated JWT secret to survive restarts (#2933)
2026-05-16 09:24:40 +08:00
routers
fix: align auth-disabled mode and mock history loading (#3471)
2026-06-10 16:11:00 +08:00
__init__.py
refactor: split backend into harness (deerflow.*) and app (app.*) (#1131)
2026-03-14 22:55:52 +08:00
app.py
fix: align auth-disabled mode and mock history loading (#3471)
2026-06-10 16:11:00 +08:00
auth_disabled.py
fix: align auth-disabled mode and mock history loading (#3471)
2026-06-10 16:11:00 +08:00
auth_middleware.py
fix: align auth-disabled mode and mock history loading (#3471)
2026-06-10 16:11:00 +08:00
authz.py
fix(security): harden auth system and fix run journal logic bug (#2593)
2026-04-28 11:34:07 +08:00
config.py
fix(nginx): defer CORS to gateway allowlist (#2861)
2026-05-11 17:38:37 +08:00
csrf_middleware.py
fix: align auth-disabled mode and mock history loading (#3471)
2026-06-10 16:11:00 +08:00
deps.py
fix: align auth-disabled mode and mock history loading (#3471)
2026-06-10 16:11:00 +08:00
internal_auth.py
fix(mcp): add auth interceptor with channel user_id and keep header propagation to mcp tools (#3294)
2026-06-03 15:48:19 +08:00
langgraph_auth.py
fix: align auth-disabled mode and mock history loading (#3471)
2026-06-10 16:11:00 +08:00
pagination.py
fix: load paginated run history messages (#3305)
2026-06-01 15:50:39 +08:00
path_utils.py
feat(persistence): per-user filesystem isolation, run-scoped APIs, and state/history simplification (#2153)
2026-04-26 11:13:01 +08:00
services.py
fix(gateway): enforce thread ownership on stateless run endpoints (#3473)
2026-06-10 23:03:39 +08:00
utils.py
feat(persistence): add unified persistence layer with event store, token tracking, and feedback (#1930)
2026-04-26 11:05:47 +08:00