dify/api/controllers/console/auth/oauth.py

import logging
from datetime import datetime, timezone
from typing import Optional

import requests
from flask import current_app, redirect, request
from flask_restful import Resource
from werkzeug.exceptions import Unauthorized

from configs import dify_config
from constants.languages import languages
from extensions.ext_database import db
from libs.helper import get_remote_ip
from libs.oauth import GitHubOAuth, GoogleOAuth, OAuthUserInfo
from models.account import Account, AccountStatus
from services.account_service import AccountService, RegisterService, TenantService

from .. import api


def get_oauth_providers():
    with current_app.app_context():
        if not dify_config.GITHUB_CLIENT_ID or not dify_config.GITHUB_CLIENT_SECRET:
            github_oauth = None
        else:
            github_oauth = GitHubOAuth(
                client_id=dify_config.GITHUB_CLIENT_ID,
                client_secret=dify_config.GITHUB_CLIENT_SECRET,
                redirect_uri=dify_config.CONSOLE_API_URL + "/console/api/oauth/authorize/github",
            )
        if not dify_config.GOOGLE_CLIENT_ID or not dify_config.GOOGLE_CLIENT_SECRET:
            google_oauth = None
        else:
            google_oauth = GoogleOAuth(
                client_id=dify_config.GOOGLE_CLIENT_ID,
                client_secret=dify_config.GOOGLE_CLIENT_SECRET,
                redirect_uri=dify_config.CONSOLE_API_URL + "/console/api/oauth/authorize/google",
            )

        OAUTH_PROVIDERS = {"github": github_oauth, "google": google_oauth}
        return OAUTH_PROVIDERS


class OAuthLogin(Resource):
    def get(self, provider: str):
        invite_token = request.args.get("invite_token") or None
        OAUTH_PROVIDERS = get_oauth_providers()
        with current_app.app_context():
            oauth_provider = OAUTH_PROVIDERS.get(provider)
            print(vars(oauth_provider))
        if not oauth_provider:
            return {"error": "Invalid provider"}, 400

        auth_url = oauth_provider.get_authorization_url(invite_token=invite_token)
        return redirect(auth_url)


class OAuthCallback(Resource):
    def get(self, provider: str):
        OAUTH_PROVIDERS = get_oauth_providers()
        with current_app.app_context():
            oauth_provider = OAUTH_PROVIDERS.get(provider)
        if not oauth_provider:
            return {"error": "Invalid provider"}, 400

        code = request.args.get("code")
        state = request.args.get("state")
        invite_token = None
        if state:
            invite_token = state

        try:
            token = oauth_provider.get_access_token(code)
            user_info = oauth_provider.get_user_info(token)
        except requests.exceptions.HTTPError as e:
            logging.exception(f"An error occurred during the OAuth process with {provider}: {e.response.text}")
            return {"error": "OAuth process failed"}, 400

        if invite_token and RegisterService.is_valid_invite_token(invite_token):
            invitation = RegisterService._get_invitation_by_token(token=invite_token)
            if invitation:
                invitation_email = invitation.get("email", None)
                if invitation_email != user_info.email:
                    return redirect(f"{dify_config.CONSOLE_WEB_URL}/signin?message=InvalidToken")

            return redirect(f"{dify_config.CONSOLE_WEB_URL}/signin/invite-settings?invite_token={invite_token}")

        try:
            account = _generate_account(provider, user_info)
        except Unauthorized:
            return redirect(f"{dify_config.CONSOLE_WEB_URL}/signin?message=AccountNotFound")

        # Check account status
        if account.status == AccountStatus.BANNED.value or account.status == AccountStatus.CLOSED.value:
            return {"error": "Account is banned or closed."}, 403

        if account.status == AccountStatus.PENDING.value:
            account.status = AccountStatus.ACTIVE.value
            account.initialized_at = datetime.now(timezone.utc).replace(tzinfo=None)
            db.session.commit()

        try:
            TenantService.create_owner_tenant_if_not_exist(account)
        except Unauthorized:
            return redirect(f"{dify_config.CONSOLE_WEB_URL}/signin?message=WorkspaceNotFound")

        token = AccountService.login(account, ip_address=get_remote_ip(request))

        return redirect(f"{dify_config.CONSOLE_WEB_URL}?console_token={token}")


def _get_account_by_openid_or_email(provider: str, user_info: OAuthUserInfo) -> Optional[Account]:
    account = Account.get_by_openid(provider, user_info.id)

    if not account:
        account = Account.query.filter_by(email=user_info.email).first()

    return account


def _generate_account(provider: str, user_info: OAuthUserInfo):
    # Get account by openid or email.
    account = _get_account_by_openid_or_email(provider, user_info)

    if not account:
        account_name = user_info.name if user_info.name else "Dify"
        account = RegisterService.register(
            email=user_info.email, name=account_name, password=None, open_id=user_info.id, provider=provider
        )

        # Set interface language
        preferred_lang = request.accept_languages.best_match(languages)
        if preferred_lang and preferred_lang in languages:
            interface_language = preferred_lang
        else:
            interface_language = languages[0]
        account.interface_language = interface_language
        db.session.commit()

    # Link account
    AccountService.link_account_integrate(provider, user_info.id, account)

    return account


api.add_resource(OAuthLogin, "/oauth/login/<provider>")
api.add_resource(OAuthCallback, "/oauth/authorize/<provider>")
Initial commit 2023-05-15 08:51:32 +08:00			`import logging`
feat: Deprecate datetime.utcnow() in favor of datetime.now(timezone.utc).replace(tzinfo=None) for better timezone handling (#3408) (#3416) 2024-04-12 16:22:24 +08:00			`from datetime import datetime, timezone`
Initial commit 2023-05-15 08:51:32 +08:00			`from typing import Optional`

			`import requests`
improve: introduce isort for linting Python imports (#1983) 2024-01-12 12:34:01 +08:00			`from flask import current_app, redirect, request`
			`from flask_restful import Resource`
feat: remove extra judgement 2024-09-02 16:03:44 +08:00			`from werkzeug.exceptions import Unauthorized`
enhancement: introduce Ruff for Python linter for reordering and removing unused imports with automated pre-commit and sytle check (#2366) 2024-02-06 13:21:13 +08:00
feat(*): Swtich to dify_config. (#6025) 2024-07-06 12:05:13 +08:00			`from configs import dify_config`
enhancement: introduce Ruff for Python linter for reordering and removing unused imports with automated pre-commit and sytle check (#2366) 2024-02-06 13:21:13 +08:00			`from constants.languages import languages`
			`from extensions.ext_database import db`
feat(api/auth): switch-to-stateful-authentication (#5438) 2024-06-21 12:39:07 +08:00			`from libs.helper import get_remote_ip`
improve: introduce isort for linting Python imports (#1983) 2024-01-12 12:34:01 +08:00			`from libs.oauth import GitHubOAuth, GoogleOAuth, OAuthUserInfo`
Initial commit 2023-05-15 08:51:32 +08:00			`from models.account import Account, AccountStatus`
fix: account has no owner workspace by member inviting (#2435) 2024-02-12 02:09:01 +08:00			`from services.account_service import AccountService, RegisterService, TenantService`
improve: introduce isort for linting Python imports (#1983) 2024-01-12 12:34:01 +08:00
Initial commit 2023-05-15 08:51:32 +08:00			`from .. import api`


			`def get_oauth_providers():`
			`with current_app.app_context():`
feat(*): Swtich to dify_config. (#6025) 2024-07-06 12:05:13 +08:00			`if not dify_config.GITHUB_CLIENT_ID or not dify_config.GITHUB_CLIENT_SECRET:`
			`github_oauth = None`
			`else:`
			`github_oauth = GitHubOAuth(`
			`client_id=dify_config.GITHUB_CLIENT_ID,`
			`client_secret=dify_config.GITHUB_CLIENT_SECRET,`
chore(api/controllers): Apply Ruff Formatter. (#7645) 2024-08-26 15:29:10 +08:00			`redirect_uri=dify_config.CONSOLE_API_URL + "/console/api/oauth/authorize/github",`
feat(*): Swtich to dify_config. (#6025) 2024-07-06 12:05:13 +08:00			`)`
			`if not dify_config.GOOGLE_CLIENT_ID or not dify_config.GOOGLE_CLIENT_SECRET:`
			`google_oauth = None`
			`else:`
			`google_oauth = GoogleOAuth(`
			`client_id=dify_config.GOOGLE_CLIENT_ID,`
			`client_secret=dify_config.GOOGLE_CLIENT_SECRET,`
chore(api/controllers): Apply Ruff Formatter. (#7645) 2024-08-26 15:29:10 +08:00			`redirect_uri=dify_config.CONSOLE_API_URL + "/console/api/oauth/authorize/google",`
feat(*): Swtich to dify_config. (#6025) 2024-07-06 12:05:13 +08:00			`)`

chore(api/controllers): Apply Ruff Formatter. (#7645) 2024-08-26 15:29:10 +08:00			`OAUTH_PROVIDERS = {"github": github_oauth, "google": google_oauth}`
Initial commit 2023-05-15 08:51:32 +08:00			`return OAUTH_PROVIDERS`


			`class OAuthLogin(Resource):`
fix: oauth AccountNotFound 2024-09-02 15:24:13 +08:00			`def get(self, provider: str):`
feat: remove redict signin 2024-09-02 15:25:24 +08:00			`invite_token = request.args.get("invite_token") or None`
Initial commit 2023-05-15 08:51:32 +08:00			`OAUTH_PROVIDERS = get_oauth_providers()`
			`with current_app.app_context():`
			`oauth_provider = OAUTH_PROVIDERS.get(provider)`
			`print(vars(oauth_provider))`
			`if not oauth_provider:`
chore(api/controllers): Apply Ruff Formatter. (#7645) 2024-08-26 15:29:10 +08:00			`return {"error": "Invalid provider"}, 400`
Initial commit 2023-05-15 08:51:32 +08:00
fix: get_authorization_url invite token 2024-09-02 15:40:47 +08:00			`auth_url = oauth_provider.get_authorization_url(invite_token=invite_token)`
Initial commit 2023-05-15 08:51:32 +08:00			`return redirect(auth_url)`


			`class OAuthCallback(Resource):`
			`def get(self, provider: str):`
			`OAUTH_PROVIDERS = get_oauth_providers()`
			`with current_app.app_context():`
			`oauth_provider = OAUTH_PROVIDERS.get(provider)`
			`if not oauth_provider:`
chore(api/controllers): Apply Ruff Formatter. (#7645) 2024-08-26 15:29:10 +08:00			`return {"error": "Invalid provider"}, 400`
Initial commit 2023-05-15 08:51:32 +08:00
chore(api/controllers): Apply Ruff Formatter. (#7645) 2024-08-26 15:29:10 +08:00			`code = request.args.get("code")`
feat: add oauth invite redict 2024-09-02 14:50:45 +08:00			`state = request.args.get("state")`
			`invite_token = None`
			`if state:`
			`invite_token = state`

Initial commit 2023-05-15 08:51:32 +08:00			`try:`
			`token = oauth_provider.get_access_token(code)`
			`user_info = oauth_provider.get_user_info(token)`
			`except requests.exceptions.HTTPError as e:`
chore(api/controllers): Apply Ruff Formatter. (#7645) 2024-08-26 15:29:10 +08:00			`logging.exception(f"An error occurred during the OAuth process with {provider}: {e.response.text}")`
			`return {"error": "OAuth process failed"}, 400`
Initial commit 2023-05-15 08:51:32 +08:00
feat: add OAuth invite token check 2024-09-09 14:49:21 +08:00			`if invite_token and RegisterService.is_valid_invite_token(invite_token):`
feat: add invitation email judgment 2024-09-02 18:04:11 +08:00			`invitation = RegisterService._get_invitation_by_token(token=invite_token)`
			`if invitation:`
			`invitation_email = invitation.get("email", None)`
			`if invitation_email != user_info.email:`
			`return redirect(f"{dify_config.CONSOLE_WEB_URL}/signin?message=InvalidToken")`
fix: code reformat 2024-09-09 14:50:56 +08:00
feat: update oauth invite_token redirect url 2024-09-02 17:42:31 +08:00			`return redirect(f"{dify_config.CONSOLE_WEB_URL}/signin/invite-settings?invite_token={invite_token}")`
feat: add oauth invite redict 2024-09-02 14:50:45 +08:00
feat: add oauth account not found 2024-09-02 11:09:40 +08:00			`try:`
			`account = _generate_account(provider, user_info)`
feat: remove extra judgement 2024-09-02 16:03:44 +08:00			`except Unauthorized:`
feat: add oauth account not found 2024-09-02 11:09:40 +08:00			`return redirect(f"{dify_config.CONSOLE_WEB_URL}/signin?message=AccountNotFound")`
feat: remove extra judgement 2024-09-02 16:03:44 +08:00
Initial commit 2023-05-15 08:51:32 +08:00			`# Check account status`
			`if account.status == AccountStatus.BANNED.value or account.status == AccountStatus.CLOSED.value:`
chore(api/controllers): Apply Ruff Formatter. (#7645) 2024-08-26 15:29:10 +08:00			`return {"error": "Account is banned or closed."}, 403`
Initial commit 2023-05-15 08:51:32 +08:00
			`if account.status == AccountStatus.PENDING.value:`
			`account.status = AccountStatus.ACTIVE.value`
feat: Deprecate datetime.utcnow() in favor of datetime.now(timezone.utc).replace(tzinfo=None) for better timezone handling (#3408) (#3416) 2024-04-12 16:22:24 +08:00			`account.initialized_at = datetime.now(timezone.utc).replace(tzinfo=None)`
Initial commit 2023-05-15 08:51:32 +08:00			`db.session.commit()`

feat: remove extra judgement 2024-09-02 16:03:44 +08:00			`try:`
			`TenantService.create_owner_tenant_if_not_exist(account)`
			`except Unauthorized:`
			`return redirect(f"{dify_config.CONSOLE_WEB_URL}/signin?message=WorkspaceNotFound")`
fix: account has no owner workspace by member inviting (#2435) 2024-02-12 02:09:01 +08:00
feat(api/auth): switch-to-stateful-authentication (#5438) 2024-06-21 12:39:07 +08:00			`token = AccountService.login(account, ip_address=get_remote_ip(request))`
Feat/api jwt (#1212) 2023-09-25 12:49:16 +08:00
chore(api/controllers): Apply Ruff Formatter. (#7645) 2024-08-26 15:29:10 +08:00			`return redirect(f"{dify_config.CONSOLE_WEB_URL}?console_token={token}")`
Initial commit 2023-05-15 08:51:32 +08:00

			`def _get_account_by_openid_or_email(provider: str, user_info: OAuthUserInfo) -> Optional[Account]:`
			`account = Account.get_by_openid(provider, user_info.id)`

			`if not account:`
			`account = Account.query.filter_by(email=user_info.email).first()`

			`return account`


			`def _generate_account(provider: str, user_info: OAuthUserInfo):`
			`# Get account by openid or email.`
			`account = _get_account_by_openid_or_email(provider, user_info)`

fix: oauth AccountNotFound 2024-09-02 15:24:13 +08:00			`if not account:`
chore(api/controllers): Apply Ruff Formatter. (#7645) 2024-08-26 15:29:10 +08:00			`account_name = user_info.name if user_info.name else "Dify"`
Initial commit 2023-05-15 08:51:32 +08:00			`account = RegisterService.register(`
feat(*): Swtich to dify_config. (#6025) 2024-07-06 12:05:13 +08:00			`email=user_info.email, name=account_name, password=None, open_id=user_info.id, provider=provider`
Initial commit 2023-05-15 08:51:32 +08:00			`)`

			`# Set interface language`
Feat/portuguese support (#2075) 2024-01-23 21:14:53 +08:00			`preferred_lang = request.accept_languages.best_match(languages)`
			`if preferred_lang and preferred_lang in languages:`
			`interface_language = preferred_lang`
Initial commit 2023-05-15 08:51:32 +08:00			`else:`
Feat/portuguese support (#2075) 2024-01-23 21:14:53 +08:00			`interface_language = languages[0]`
Initial commit 2023-05-15 08:51:32 +08:00			`account.interface_language = interface_language`
			`db.session.commit()`

			`# Link account`
			`AccountService.link_account_integrate(provider, user_info.id, account)`

			`return account`


chore(api/controllers): Apply Ruff Formatter. (#7645) 2024-08-26 15:29:10 +08:00			`api.add_resource(OAuthLogin, "/oauth/login/<provider>")`
			`api.add_resource(OAuthCallback, "/oauth/authorize/<provider>")`