2023-05-15 08:51:32 +08:00
|
|
|
from functools import wraps
|
|
|
|
|
|
2023-07-11 15:21:20 +08:00
|
|
|
from flask import request
|
2025-05-06 11:58:49 +08:00
|
|
|
from flask_restful import Resource
|
2024-05-15 16:14:49 +08:00
|
|
|
from werkzeug.exceptions import BadRequest, NotFound, Unauthorized
|
2024-02-06 13:21:13 +08:00
|
|
|
|
2025-05-20 12:07:50 +08:00
|
|
|
from controllers.web.error import WebAppAuthAccessDeniedError, WebAppAuthRequiredError
|
2024-02-06 13:21:13 +08:00
|
|
|
from extensions.ext_database import db
|
2024-01-12 12:34:01 +08:00
|
|
|
from libs.passport import PassportService
|
|
|
|
|
from models.model import App, EndUser, Site
|
2024-08-25 18:47:02 +08:00
|
|
|
from services.enterprise.enterprise_service import EnterpriseService
|
2024-05-15 16:14:49 +08:00
|
|
|
from services.feature_service import FeatureService
|
2023-05-15 08:51:32 +08:00
|
|
|
|
|
|
|
|
|
2023-07-11 15:21:20 +08:00
|
|
|
def validate_jwt_token(view=None):
|
2023-05-15 08:51:32 +08:00
|
|
|
def decorator(view):
|
|
|
|
|
@wraps(view)
|
|
|
|
|
def decorated(*args, **kwargs):
|
2023-07-11 15:21:20 +08:00
|
|
|
app_model, end_user = decode_jwt_token()
|
2023-05-15 08:51:32 +08:00
|
|
|
|
|
|
|
|
return view(app_model, end_user, *args, **kwargs)
|
2024-08-26 15:29:10 +08:00
|
|
|
|
2023-05-15 08:51:32 +08:00
|
|
|
return decorated
|
2024-08-26 15:29:10 +08:00
|
|
|
|
2023-05-15 08:51:32 +08:00
|
|
|
if view:
|
|
|
|
|
return decorator(view)
|
|
|
|
|
return decorator
|
|
|
|
|
|
2024-05-15 16:14:49 +08:00
|
|
|
|
2023-07-11 15:21:20 +08:00
|
|
|
def decode_jwt_token():
|
2024-05-15 16:14:49 +08:00
|
|
|
system_features = FeatureService.get_system_features()
|
2025-05-20 12:07:50 +08:00
|
|
|
app_code = str(request.headers.get("X-App-Code"))
|
2024-05-15 16:14:49 +08:00
|
|
|
try:
|
2024-08-26 15:29:10 +08:00
|
|
|
auth_header = request.headers.get("Authorization")
|
2024-05-15 16:14:49 +08:00
|
|
|
if auth_header is None:
|
2024-08-26 15:29:10 +08:00
|
|
|
raise Unauthorized("Authorization header is missing.")
|
2024-05-15 16:14:49 +08:00
|
|
|
|
2024-08-26 15:29:10 +08:00
|
|
|
if " " not in auth_header:
|
|
|
|
|
raise Unauthorized("Invalid Authorization header format. Expected 'Bearer <api-key>' format.")
|
2024-05-15 16:14:49 +08:00
|
|
|
|
|
|
|
|
auth_scheme, tk = auth_header.split(None, 1)
|
|
|
|
|
auth_scheme = auth_scheme.lower()
|
|
|
|
|
|
2024-08-26 15:29:10 +08:00
|
|
|
if auth_scheme != "bearer":
|
|
|
|
|
raise Unauthorized("Invalid Authorization header format. Expected 'Bearer <api-key>' format.")
|
2024-05-15 16:14:49 +08:00
|
|
|
decoded = PassportService().verify(tk)
|
2024-08-26 15:29:10 +08:00
|
|
|
app_code = decoded.get("app_code")
|
|
|
|
|
app_model = db.session.query(App).filter(App.id == decoded["app_id"]).first()
|
2024-05-15 16:14:49 +08:00
|
|
|
site = db.session.query(Site).filter(Site.code == app_code).first()
|
|
|
|
|
if not app_model:
|
|
|
|
|
raise NotFound()
|
|
|
|
|
if not app_code or not site:
|
2024-08-26 15:29:10 +08:00
|
|
|
raise BadRequest("Site URL is no longer valid.")
|
2024-05-15 16:14:49 +08:00
|
|
|
if app_model.enable_site is False:
|
2024-08-26 15:29:10 +08:00
|
|
|
raise BadRequest("Site is disabled.")
|
|
|
|
|
end_user = db.session.query(EndUser).filter(EndUser.id == decoded["end_user_id"]).first()
|
2024-05-15 16:14:49 +08:00
|
|
|
if not end_user:
|
|
|
|
|
raise NotFound()
|
|
|
|
|
|
2025-05-20 12:07:50 +08:00
|
|
|
# for enterprise webapp auth
|
|
|
|
|
app_web_auth_enabled = False
|
|
|
|
|
if system_features.webapp_auth.enabled:
|
|
|
|
|
app_web_auth_enabled = (
|
|
|
|
|
EnterpriseService.WebAppAuth.get_app_access_mode_by_code(app_code=app_code).access_mode != "public"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
_validate_webapp_token(decoded, app_web_auth_enabled, system_features.webapp_auth.enabled)
|
|
|
|
|
_validate_user_accessibility(decoded, app_code, app_web_auth_enabled, system_features.webapp_auth.enabled)
|
2024-05-15 16:14:49 +08:00
|
|
|
|
|
|
|
|
return app_model, end_user
|
|
|
|
|
except Unauthorized as e:
|
2025-05-20 12:07:50 +08:00
|
|
|
if system_features.webapp_auth.enabled:
|
|
|
|
|
app_web_auth_enabled = (
|
|
|
|
|
EnterpriseService.WebAppAuth.get_app_access_mode_by_code(app_code=str(app_code)).access_mode != "public"
|
|
|
|
|
)
|
|
|
|
|
if app_web_auth_enabled:
|
|
|
|
|
raise WebAppAuthRequiredError()
|
2024-05-15 16:14:49 +08:00
|
|
|
|
|
|
|
|
raise Unauthorized(e.description)
|
|
|
|
|
|
|
|
|
|
|
2025-05-20 12:07:50 +08:00
|
|
|
def _validate_webapp_token(decoded, app_web_auth_enabled: bool, system_webapp_auth_enabled: bool):
|
|
|
|
|
# Check if authentication is enforced for web app, and if the token source is not webapp,
|
|
|
|
|
# raise an error and redirect to login
|
|
|
|
|
if system_webapp_auth_enabled and app_web_auth_enabled:
|
|
|
|
|
source = decoded.get("token_source")
|
|
|
|
|
if not source or source != "webapp":
|
|
|
|
|
raise WebAppAuthRequiredError()
|
2024-05-15 16:14:49 +08:00
|
|
|
|
2025-05-20 12:07:50 +08:00
|
|
|
# Check if authentication is not enforced for web, and if the token source is webapp,
|
2024-09-12 14:00:36 +08:00
|
|
|
# raise an error and redirect to normal passport login
|
2025-05-20 12:07:50 +08:00
|
|
|
if not system_webapp_auth_enabled or not app_web_auth_enabled:
|
2024-08-26 15:29:10 +08:00
|
|
|
source = decoded.get("token_source")
|
2025-05-20 12:07:50 +08:00
|
|
|
if source and source == "webapp":
|
|
|
|
|
raise Unauthorized("webapp token expired.")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def _validate_user_accessibility(decoded, app_code, app_web_auth_enabled: bool, system_webapp_auth_enabled: bool):
|
|
|
|
|
if system_webapp_auth_enabled and app_web_auth_enabled:
|
|
|
|
|
# Check if the user is allowed to access the web app
|
|
|
|
|
user_id = decoded.get("user_id")
|
|
|
|
|
if not user_id:
|
|
|
|
|
raise WebAppAuthRequiredError()
|
|
|
|
|
|
|
|
|
|
if not EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(user_id, app_code=app_code):
|
|
|
|
|
raise WebAppAuthAccessDeniedError()
|
2024-05-15 16:14:49 +08:00
|
|
|
|
2023-05-15 08:51:32 +08:00
|
|
|
|
|
|
|
|
class WebApiResource(Resource):
|
2023-07-11 15:21:20 +08:00
|
|
|
method_decorators = [validate_jwt_token]
|
