dify/api/controllers/console/auth/login.py

from typing import cast

import flask_login
from flask import redirect, request
from flask_restful import Resource, reqparse

import services
from configs import dify_config
from constants.languages import languages
from controllers.console import api
from controllers.console.auth.error import (
    EmailCodeError,
    EmailOrPasswordMismatchError,
    EmailPasswordLoginLimitError,
    InvalidEmailError,
    InvalidTokenError,
)
from controllers.console.error import NotAllowedCreateWorkspace, NotAllowedRegister
from controllers.console.setup import setup_required
from events.tenant_event import tenant_was_created
from libs.helper import email, get_remote_ip
from libs.password import valid_password
from models.account import Account
from services.account_service import AccountService, RegisterService, TenantService
from services.errors.workspace import WorkSpaceNotAllowedCreateError


class LoginApi(Resource):
    """Resource for user login."""

    @setup_required
    def post(self):
        """Authenticate user and login."""
        parser = reqparse.RequestParser()
        parser.add_argument("email", type=email, required=True, location="json")
        parser.add_argument("password", type=valid_password, required=True, location="json")
        parser.add_argument("remember_me", type=bool, required=False, default=False, location="json")
        parser.add_argument("invite_token", type=str, required=False, default=None, location="json")
        args = parser.parse_args()

        is_login_error_rate_limit = AccountService.is_login_error_rate_limit(args["email"])
        if is_login_error_rate_limit:
            raise EmailPasswordLoginLimitError()

        invitation = args["invite_token"]
        if invitation:
            invitation = RegisterService.get_invitation_if_token_valid(None, args["email"], invitation)
        
        try:
            if invitation:
                data = invitation.get("data", {})
                invitee_email = data.get("email") if data else None
                if invitee_email != args["email"]:
                    raise InvalidEmailError()
                account = AccountService.authenticate(args["email"], args["password"], args["invite_token"])
            else:
                account = AccountService.authenticate(args["email"], args["password"])
        except services.errors.account.AccountLoginError:
            raise NotAllowedRegister()
        except services.errors.account.AccountPasswordError:
            AccountService.add_login_error_rate_limit(args["email"])
            raise EmailOrPasswordMismatchError()
        except services.errors.account.AccountNotFoundError:
            if not dify_config.ALLOW_REGISTER:
                raise NotAllowedRegister()

            token = AccountService.send_reset_password_email(email=args["email"])
            return {"result": "fail", "data": token, "message": "account_not_found"}
        # SELF_HOSTED only have one workspace
        tenants = TenantService.get_join_tenants(account)
        if len(tenants) == 0:
            return {
                "result": "fail",
                "data": "workspace not found, please contact system admin to invite you to join in a workspace",
            }

        token = AccountService.login(account, ip_address=get_remote_ip(request))
        AccountService.reset_login_error_rate_limit(args["email"])
        return {"result": "success", "data": token}


class LogoutApi(Resource):
    @setup_required
    def get(self):
        account = cast(Account, flask_login.current_user)
        token = request.headers.get("Authorization", "").split(" ")[1]
        AccountService.logout(account=account, token=token)
        flask_login.logout_user()
        return {"result": "success"}


class ResetPasswordSendEmailApi(Resource):
    @setup_required
    def post(self):
        parser = reqparse.RequestParser()
        parser.add_argument("email", type=email, required=True, location="json")
        parser.add_argument("language", type=str, required=False, location="json")
        args = parser.parse_args()

        if args["language"] is not None and args["language"] == "zh-Hans":
            language = "zh-Hans"
        else:
            language = "en-US"

        account = AccountService.get_user_through_email(args["email"])
        if account is None:
            if dify_config.ALLOW_REGISTER:
                token = AccountService.send_reset_password_email(email=args["email"], language=language)
            else:
                raise NotAllowedRegister()
        else:
            token = AccountService.send_reset_password_email(account=account, language=language)

        return {"result": "success", "data": token}


class EmailCodeLoginSendEmailApi(Resource):
    @setup_required
    def post(self):
        parser = reqparse.RequestParser()
        parser.add_argument("email", type=email, required=True, location="json")
        parser.add_argument("language", type=str, required=False, location="json")
        args = parser.parse_args()

        if args["language"] is not None and args["language"] == "zh-Hans":
            language = "zh-Hans"
        else:
            language = "en-US"

        account = AccountService.get_user_through_email(args["email"])
        if account is None:
            if dify_config.ALLOW_REGISTER:
                token = AccountService.send_email_code_login_email(email=args["email"], language=language)
            else:
                raise NotAllowedRegister()
        else:
            token = AccountService.send_email_code_login_email(account=account, language=language)

        return {"result": "success", "data": token}


class EmailCodeLoginApi(Resource):
    @setup_required
    def post(self):
        parser = reqparse.RequestParser()
        parser.add_argument("email", type=str, required=True, location="json")
        parser.add_argument("code", type=str, required=True, location="json")
        parser.add_argument("token", type=str, required=True, location="json")
        args = parser.parse_args()

        user_email = args["email"]

        token_data = AccountService.get_email_code_login_data(args["token"])
        if token_data is None:
            raise InvalidTokenError()

        if token_data["email"] != args["email"]:
            raise InvalidEmailError()

        if token_data["code"] != args["code"]:
            raise EmailCodeError()

        AccountService.revoke_email_code_login_token(args["token"])
        account = AccountService.get_user_through_email(user_email)
        if account:
            tenant = TenantService.get_join_tenants(account)
            if not tenant:
                if not dify_config.ALLOW_CREATE_WORKSPACE:
                    raise NotAllowedCreateWorkspace()
                else:
                    tenant = TenantService.create_tenant(f"{account.name}'s Workspace")
                    TenantService.create_tenant_member(tenant, account, role="owner")
                    account.current_tenant = tenant
                    tenant_was_created.send(tenant)

        if account is None:
            try:
                account = AccountService.create_account_and_tenant(
                    email=user_email, name=user_email, interface_language=languages[0]
                )
            except WorkSpaceNotAllowedCreateError:
                return redirect(
                    f"{dify_config.CONSOLE_WEB_URL}/signin"
                    "?message=Workspace not found, please contact system admin to invite you to join in a workspace."
                )
        token = AccountService.login(account, ip_address=get_remote_ip(request))
        AccountService.reset_login_error_rate_limit(args["email"])
        return {"result": "success", "data": token}


api.add_resource(LoginApi, "/login")
api.add_resource(LogoutApi, "/logout")
api.add_resource(EmailCodeLoginSendEmailApi, "/email-code-login")
api.add_resource(EmailCodeLoginApi, "/email-code-login/validity")
api.add_resource(ResetPasswordSendEmailApi, "/reset-password")
feat(api/auth): switch-to-stateful-authentication (#5438) 2024-06-21 12:39:07 +08:00			`from typing import cast`

Initial commit 2023-05-15 08:51:32 +08:00			`import flask_login`
feat: add not ALLOW_CREATE_WORKSPACE 2024-09-10 11:36:20 +08:00			`from flask import redirect, request`
enhancement: introduce Ruff for Python linter for reordering and removing unused imports with automated pre-commit and sytle check (#2366) 2024-02-06 13:21:13 +08:00			`from flask_restful import Resource, reqparse`

Initial commit 2023-05-15 08:51:32 +08:00			`import services`
feat: add email code login 2024-08-29 14:13:28 +08:00			`from configs import dify_config`
			`from constants.languages import languages`
Initial commit 2023-05-15 08:51:32 +08:00			`from controllers.console import api`
feat: add email code login 2024-08-29 14:13:28 +08:00			`from controllers.console.auth.error import (`
feat: add reset password api 2024-08-29 16:51:30 +08:00			`EmailCodeError,`
feat: update EmailOrPasswordMismatchError 2024-09-14 14:49:54 +08:00			`EmailOrPasswordMismatchError,`
feat: add login limit error 2024-09-23 11:20:35 +08:00			`EmailPasswordLoginLimitError,`
feat: add email code login 2024-08-29 14:13:28 +08:00			`InvalidEmailError,`
			`InvalidTokenError,`
			`)`
feat: add NotAllowedCreateWorkspace 2024-09-10 11:51:40 +08:00			`from controllers.console.error import NotAllowedCreateWorkspace, NotAllowedRegister`
Initial commit 2023-05-15 08:51:32 +08:00			`from controllers.console.setup import setup_required`
feat: add not ALLOW_CREATE_WORKSPACE 2024-09-10 11:36:20 +08:00			`from events.tenant_event import tenant_was_created`
feat(api/auth): switch-to-stateful-authentication (#5438) 2024-06-21 12:39:07 +08:00			`from libs.helper import email, get_remote_ip`
feat: change valid_password error resp 2024-09-27 10:52:01 +08:00			`from libs.password import valid_password`
feat(api/auth): switch-to-stateful-authentication (#5438) 2024-06-21 12:39:07 +08:00			`from models.account import Account`
feat: add email code login invite token 2024-09-29 16:59:03 +08:00			`from services.account_service import AccountService, RegisterService, TenantService`
feat: add not ALLOW_CREATE_WORKSPACE 2024-09-10 11:36:20 +08:00			`from services.errors.workspace import WorkSpaceNotAllowedCreateError`
Initial commit 2023-05-15 08:51:32 +08:00

			`class LoginApi(Resource):`
			`"""Resource for user login."""`

			`@setup_required`
			`def post(self):`
			`"""Authenticate user and login."""`
			`parser = reqparse.RequestParser()`
chore(api/controllers): Apply Ruff Formatter. (#7645) 2024-08-26 15:29:10 +08:00			`parser.add_argument("email", type=email, required=True, location="json")`
fix: change type error 2024-09-27 11:56:37 +08:00			`parser.add_argument("password", type=valid_password, required=True, location="json")`
			`parser.add_argument("remember_me", type=bool, required=False, default=False, location="json")`
feat: add email code login invite token 2024-09-29 16:59:03 +08:00			`parser.add_argument("invite_token", type=str, required=False, default=None, location="json")`
Initial commit 2023-05-15 08:51:32 +08:00			`args = parser.parse_args()`

feat: add email password limit 2024-09-23 10:45:30 +08:00			`is_login_error_rate_limit = AccountService.is_login_error_rate_limit(args["email"])`
			`if is_login_error_rate_limit:`
feat: add login limit error 2024-09-23 11:20:35 +08:00			`raise EmailPasswordLoginLimitError()`
feat: add email password limit 2024-09-23 10:45:30 +08:00
feat: add email code login invite token 2024-09-29 16:59:03 +08:00			`invitation = args["invite_token"]`
			`if invitation:`
			`invitation = RegisterService.get_invitation_if_token_valid(None, args["email"], invitation)`

Initial commit 2023-05-15 08:51:32 +08:00			`try:`
feat: add email code login invite token 2024-09-29 16:59:03 +08:00			`if invitation:`
			`data = invitation.get("data", {})`
			`invitee_email = data.get("email") if data else None`
			`if invitee_email != args["email"]:`
			`raise InvalidEmailError()`
			`account = AccountService.authenticate(args["email"], args["password"], args["invite_token"])`
			`else:`
			`account = AccountService.authenticate(args["email"], args["password"])`
feat: update invite workspace member email password login logic 2024-09-03 15:37:16 +08:00			`except services.errors.account.AccountLoginError:`
			`raise NotAllowedRegister()`
			`except services.errors.account.AccountPasswordError:`
feat: add email password limit 2024-09-23 10:45:30 +08:00			`AccountService.add_login_error_rate_limit(args["email"])`
feat: update EmailOrPasswordMismatchError 2024-09-14 14:49:54 +08:00			`raise EmailOrPasswordMismatchError()`
chore: apply pep8-naming rules for naming 2024-09-12 11:47:36 +08:00			`except services.errors.account.AccountNotFoundError:`
feat: add login account not found 2024-09-02 11:08:36 +08:00			`if not dify_config.ALLOW_REGISTER:`
fix: OAuth error when not allow register 2024-09-09 17:27:40 +08:00			`raise NotAllowedRegister()`
Initial commit 2023-05-15 08:51:32 +08:00
feat: add login account not found 2024-09-02 11:08:36 +08:00			`token = AccountService.send_reset_password_email(email=args["email"])`
feat: change login AccountNotFound response 2024-09-04 11:04:03 +08:00			`return {"result": "fail", "data": token, "message": "account_not_found"}`
Feat/enterprise sso (#3602) 2024-04-18 17:33:32 +08:00			`# SELF_HOSTED only have one workspace`
			`tenants = TenantService.get_join_tenants(account)`
			`if len(tenants) == 0:`
chore(api/controllers): Apply Ruff Formatter. (#7645) 2024-08-26 15:29:10 +08:00			`return {`
			`"result": "fail",`
			`"data": "workspace not found, please contact system admin to invite you to join in a workspace",`
			`}`
fix: account has no owner workspace by member inviting (#2435) 2024-02-12 02:09:01 +08:00
feat(api/auth): switch-to-stateful-authentication (#5438) 2024-06-21 12:39:07 +08:00			`token = AccountService.login(account, ip_address=get_remote_ip(request))`
feat: add email password limit 2024-09-23 10:45:30 +08:00			`AccountService.reset_login_error_rate_limit(args["email"])`
chore(api/controllers): Apply Ruff Formatter. (#7645) 2024-08-26 15:29:10 +08:00			`return {"result": "success", "data": token}`
Initial commit 2023-05-15 08:51:32 +08:00

			`class LogoutApi(Resource):`
			`@setup_required`
			`def get(self):`
feat(api/auth): switch-to-stateful-authentication (#5438) 2024-06-21 12:39:07 +08:00			`account = cast(Account, flask_login.current_user)`
chore(api/controllers): Apply Ruff Formatter. (#7645) 2024-08-26 15:29:10 +08:00			`token = request.headers.get("Authorization", "").split(" ")[1]`
feat(api/auth): switch-to-stateful-authentication (#5438) 2024-06-21 12:39:07 +08:00			`AccountService.logout(account=account, token=token)`
Initial commit 2023-05-15 08:51:32 +08:00			`flask_login.logout_user()`
chore(api/controllers): Apply Ruff Formatter. (#7645) 2024-08-26 15:29:10 +08:00			`return {"result": "success"}`
Initial commit 2023-05-15 08:51:32 +08:00

feat: update register logic 2024-08-29 15:15:48 +08:00			`class ResetPasswordSendEmailApi(Resource):`
			`@setup_required`
			`def post(self):`
			`parser = reqparse.RequestParser()`
			`parser.add_argument("email", type=email, required=True, location="json")`
feat: email api add password param 2024-09-26 14:30:06 +08:00			`parser.add_argument("language", type=str, required=False, location="json")`
feat: update register logic 2024-08-29 15:15:48 +08:00			`args = parser.parse_args()`

feat: change email language 2024-09-26 16:15:23 +08:00			`if args["language"] is not None and args["language"] == "zh-Hans":`
			`language = "zh-Hans"`
			`else:`
			`language = "en-US"`

feat: update register logic 2024-08-29 15:15:48 +08:00			`account = AccountService.get_user_through_email(args["email"])`
			`if account is None:`
			`if dify_config.ALLOW_REGISTER:`
feat: change email language 2024-09-26 16:15:23 +08:00			`token = AccountService.send_reset_password_email(email=args["email"], language=language)`
feat: update register logic 2024-08-29 15:15:48 +08:00			`else:`
feat: update invite workspace member email password login logic 2024-09-03 15:37:16 +08:00			`raise NotAllowedRegister()`
feat: update register logic 2024-08-29 15:15:48 +08:00			`else:`
feat: change email language 2024-09-26 16:15:23 +08:00			`token = AccountService.send_reset_password_email(account=account, language=language)`
feat: update register logic 2024-08-29 15:15:48 +08:00
			`return {"result": "success", "data": token}`


feat: add email code login 2024-08-29 14:13:28 +08:00			`class EmailCodeLoginSendEmailApi(Resource):`
			`@setup_required`
			`def post(self):`
			`parser = reqparse.RequestParser()`
feat: add reset password api 2024-08-29 16:51:30 +08:00			`parser.add_argument("email", type=email, required=True, location="json")`
feat: email api add password param 2024-09-26 14:30:06 +08:00			`parser.add_argument("language", type=str, required=False, location="json")`
feat: add email code login 2024-08-29 14:13:28 +08:00			`args = parser.parse_args()`

feat: change email language 2024-09-26 16:15:23 +08:00			`if args["language"] is not None and args["language"] == "zh-Hans":`
			`language = "zh-Hans"`
			`else:`
			`language = "en-US"`

feat: add email code login 2024-08-29 14:13:28 +08:00			`account = AccountService.get_user_through_email(args["email"])`
			`if account is None:`
feat: update invite workspace member email password login logic 2024-09-03 15:37:16 +08:00			`if dify_config.ALLOW_REGISTER:`
feat: change email language 2024-09-26 16:15:23 +08:00			`token = AccountService.send_email_code_login_email(email=args["email"], language=language)`
feat: update invite workspace member email password login logic 2024-09-03 15:37:16 +08:00			`else:`
			`raise NotAllowedRegister()`
feat: update register logic 2024-08-29 15:15:48 +08:00			`else:`
feat: change email language 2024-09-26 16:15:23 +08:00			`token = AccountService.send_email_code_login_email(account=account, language=language)`
feat: add email code login 2024-08-29 14:13:28 +08:00
			`return {"result": "success", "data": token}`


			`class EmailCodeLoginApi(Resource):`
			`@setup_required`
			`def post(self):`
			`parser = reqparse.RequestParser()`
			`parser.add_argument("email", type=str, required=True, location="json")`
			`parser.add_argument("code", type=str, required=True, location="json")`
			`parser.add_argument("token", type=str, required=True, location="json")`
			`args = parser.parse_args()`

			`user_email = args["email"]`

			`token_data = AccountService.get_email_code_login_data(args["token"])`
			`if token_data is None:`
			`raise InvalidTokenError()`

			`if token_data["email"] != args["email"]:`
			`raise InvalidEmailError()`

			`if token_data["code"] != args["code"]:`
feat: add reset password api 2024-08-29 16:51:30 +08:00			`raise EmailCodeError()`
feat: add email code login 2024-08-29 14:13:28 +08:00
			`AccountService.revoke_email_code_login_token(args["token"])`
			`account = AccountService.get_user_through_email(user_email)`
fix: email code login tenant check 2024-09-12 10:40:44 +08:00			`if account:`
			`tenant = TenantService.get_join_tenants(account)`
			`if not tenant:`
			`if not dify_config.ALLOW_CREATE_WORKSPACE:`
			`raise NotAllowedCreateWorkspace()`
			`else:`
			`tenant = TenantService.create_tenant(f"{account.name}'s Workspace")`
			`TenantService.create_tenant_member(tenant, account, role="owner")`
			`account.current_tenant = tenant`
			`tenant_was_created.send(tenant)`
feat: add email code login 2024-08-29 14:13:28 +08:00
feat: add not ALLOW_CREATE_WORKSPACE 2024-09-10 11:36:20 +08:00			`if account is None:`
			`try:`
			`account = AccountService.create_account_and_tenant(`
			`email=user_email, name=user_email, interface_language=languages[0]`
			`)`
			`except WorkSpaceNotAllowedCreateError:`
			`return redirect(`
Merge branch 'main' into feat/new-login * main: chore: refurbish Python code by applying refurb linter rules (#8296) chore: apply ruff E501 line-too-long linter rule (#8275) fix(workflow): missing content in the answer node stream output during iterations (#8292) chore: cleanup ruff flake8-simplify linter rules (#8286) fix: markdown paragraph margin (#8289) 2024-09-12 17:05:41 +08:00			`f"{dify_config.CONSOLE_WEB_URL}/signin"`
			`"?message=Workspace not found, please contact system admin to invite you to join in a workspace."`
feat: add not ALLOW_CREATE_WORKSPACE 2024-09-10 11:36:20 +08:00			`)`
feat: update register logic 2024-08-29 15:15:48 +08:00			`token = AccountService.login(account, ip_address=get_remote_ip(request))`
feat: add email password limit 2024-09-23 10:45:30 +08:00			`AccountService.reset_login_error_rate_limit(args["email"])`
feat: update register logic 2024-08-29 15:15:48 +08:00			`return {"result": "success", "data": token}`
feat: add email code login 2024-08-29 14:13:28 +08:00

chore(api/controllers): Apply Ruff Formatter. (#7645) 2024-08-26 15:29:10 +08:00			`api.add_resource(LoginApi, "/login")`
			`api.add_resource(LogoutApi, "/logout")`
feat: add email code login 2024-08-29 14:13:28 +08:00			`api.add_resource(EmailCodeLoginSendEmailApi, "/email-code-login")`
			`api.add_resource(EmailCodeLoginApi, "/email-code-login/validity")`
feat: add reset password api 2024-08-29 16:51:30 +08:00			`api.add_resource(ResetPasswordSendEmailApi, "/reset-password")`