dify/api/core/tools/signature.py

import base64
import hashlib
import hmac
import os
import time

from configs import dify_config


def sign_tool_file(tool_file_id: str, extension: str) -> str:
    """
    sign file to get a temporary url
    """
    base_url = dify_config.FILES_URL
    file_preview_url = f"{base_url}/files/tools/{tool_file_id}{extension}"

    timestamp = str(int(time.time()))
    nonce = os.urandom(16).hex()
    data_to_sign = f"file-preview|{tool_file_id}|{timestamp}|{nonce}"
    secret_key = dify_config.SECRET_KEY.encode() if dify_config.SECRET_KEY else b""
    sign = hmac.new(secret_key, data_to_sign.encode(), hashlib.sha256).digest()
    encoded_sign = base64.urlsafe_b64encode(sign).decode()

    return f"{file_preview_url}?timestamp={timestamp}&nonce={nonce}&sign={encoded_sign}"


def verify_tool_file_signature(file_id: str, timestamp: str, nonce: str, sign: str) -> bool:
    """
    verify signature
    """
    data_to_sign = f"file-preview|{file_id}|{timestamp}|{nonce}"
    secret_key = dify_config.SECRET_KEY.encode() if dify_config.SECRET_KEY else b""
    recalculated_sign = hmac.new(secret_key, data_to_sign.encode(), hashlib.sha256).digest()
    recalculated_encoded_sign = base64.urlsafe_b64encode(recalculated_sign).decode()

    # verify signature
    if sign != recalculated_encoded_sign:
        return False

    current_time = int(time.time())
    return current_time - int(timestamp) <= dify_config.FILES_ACCESS_TIMEOUT
feat(api): Add image multimodal support for LLMNode (#17372) Enhance `LLMNode` with multimodal capability, introducing support for image outputs. This implementation extracts base64-encoded images from LLM responses, saves them to the storage service, and records the file metadata in the `ToolFile` table. In conversations, these images are rendered as markdown-based inline images. Additionally, the images are included in the LLMNode's output as file variables, enabling subsequent nodes in the workflow to utilize them. To integrate file outputs into workflows, adjustments to the frontend code are necessary. For multimodal output functionality, updates to related model configurations are required. Currently, this capability has been applied exclusively to Google's Gemini models. Close #15814. Signed-off-by: -LAN- <laipz8200@outlook.com> Co-authored-by: -LAN- <laipz8200@outlook.com> 2025-04-30 17:28:02 +08:00			`import base64`
			`import hashlib`
			`import hmac`
			`import os`
			`import time`

			`from configs import dify_config`


			`def sign_tool_file(tool_file_id: str, extension: str) -> str:`
			`"""`
			`sign file to get a temporary url`
			`"""`
			`base_url = dify_config.FILES_URL`
			`file_preview_url = f"{base_url}/files/tools/{tool_file_id}{extension}"`

			`timestamp = str(int(time.time()))`
			`nonce = os.urandom(16).hex()`
			`data_to_sign = f"file-preview\|{tool_file_id}\|{timestamp}\|{nonce}"`
			`secret_key = dify_config.SECRET_KEY.encode() if dify_config.SECRET_KEY else b""`
			`sign = hmac.new(secret_key, data_to_sign.encode(), hashlib.sha256).digest()`
			`encoded_sign = base64.urlsafe_b64encode(sign).decode()`

			`return f"{file_preview_url}?timestamp={timestamp}&nonce={nonce}&sign={encoded_sign}"`


			`def verify_tool_file_signature(file_id: str, timestamp: str, nonce: str, sign: str) -> bool:`
			`"""`
			`verify signature`
			`"""`
			`data_to_sign = f"file-preview\|{file_id}\|{timestamp}\|{nonce}"`
			`secret_key = dify_config.SECRET_KEY.encode() if dify_config.SECRET_KEY else b""`
			`recalculated_sign = hmac.new(secret_key, data_to_sign.encode(), hashlib.sha256).digest()`
			`recalculated_encoded_sign = base64.urlsafe_b64encode(recalculated_sign).decode()`

			`# verify signature`
			`if sign != recalculated_encoded_sign:`
			`return False`

			`current_time = int(time.time())`
			`return current_time - int(timestamp) <= dify_config.FILES_ACCESS_TIMEOUT`