ngskcloud
/
gcgj-dify-1.7.0
17
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
deploy/rag-dev
feat/rag-2
deploy/dev
chore/plugin-error
feat/change-user-email-freezes-limit
feat/support-bool-variable-fe
feat/hitl-frontend
deploy/enterprise
feat/enchance-prompt-and-code-fe
build/oauth
feat/oauth
feature/smtp-oauth2-support
feat/human-input
build/plugin-auto-upgrade
test/performance
feat/tool-plugin-oauth
feat/tool-oauth
feat/email-update-frontend
temp-feat-owner-transfer-enterprise-frontend
feat/ownership-transfer-frontend
release/e-3.0.2
feat/plugin-auto-upgrade-fe
refactor/tanstack-form
chore/offline-the-sys-files
feat/rag-pipeline
feat/r2
release/e-3.2.0
wtw/rag-pipeline
feat/add-retrival-field-in-dataset
feat/datasource
e-260
revert-20786-fix/add_postgres_user
feat/webapp-verified-sso-main
fix/app-not-published-error
feat/webapp-verified-sso-260
release/0.15-support
fix/20421
v141-hotfix
fix/20326-tool-invoke-error-instance-account
fix/19933-account-object-has-no-attribute-_current_tenant-when-workflow-uses-workflow-as-tool-node
hotfix/0519
fix/e-legacy-clean-up
QuantumGhost-patch-1
fix/admin-permission
fix/e-admin-permission
feat/model-memory
feat/webapp-auth-api
1.0.0-fix
revert-17133-fix/i16990-text-to-language-settings
e-0156
release/1.1.3-fix1
hotfix/translation-fix
fix/slider-style-error
e-0154
release/0.15.6-alpha-1
cohere/cleanup-free-tenants-logs
release/1.0.1-fix1
release/1.0.0-fix1
chore/auto-dify
fix/rag-infinity-spaces-loop
fix/dataset-admin
fix/expose-debugging-port
dev/plugin-deploy
fix/tool-info
fix/aws-s3-r2-compatible
feat/knowledge-metabase
fix/fail-branch-stream-output-error
release/0.15.3-fix1
feat/14009-feature-request-support-for-retrieving-historical-conversations-without-from-enduser-id
fix/build-error
chore/infrastructure-upgrade
feat/upgrade-unstructured-version-10.2
feat/classnames-sort
feat/upgrade-unstructured-version
fix/version-check
fix/handle-agent-none-value
fix/agent-params-pasring
fix/agent-parallel
feat/knowledge-dark-mode
feat/custom-tool-input
release/0.15.2-fix1
0.15.1-admin-apis
feat/support-docx-image-view
chore/upgrade-next
hotfix/get-property-of-string-type-cause-page-crash
feat/agent-stream-output
feat/workflow-node-dark-mode
fix/not-show-strategy-type
fix/switch-strategy-clean-param
fix/chore-fix
opik-monitoring
provider-gpustack
feat/mecab-japanese-keywords
feat/retry-single-step-debug
revert-12086-feat/parent-child-retrieval
fix/remove-the-retry-index-field
fix/11839
feat/node-execution-retry
feat/support-extractor-tools-update-wip
feat/update-tidb-batchget-endpoint
fix/iteration-thread-pool-error
feat/support-multi-token-count
feat/parent-child-retrieval-api
fix/app-icon-is-missing
feat/support-extractor-tools-update
test/disable_site
build/add-dependabot
feat/support-extractor-tools
fix/docx-extract-image-ssrf
fix/redis-slow-in-gevent
fix/9772-internal-server-error-when-custom-disclaimer-longer-than-64-characters
alert-autofix-89
build/eslint-react-refresh-plugin
build/switch-to-pnpm
revert-9424-feat/update-dataset-clean-rule
fix/external-knowledge-retrieval-issues
feat/login-type-coontrol
feat/external-knowledge-api
feat/rag-external-knowledge-with-api
feat/external-knowledge
fix/notion-table-extract
fix/retrieval-test
fix/tooltip
feat/workflow-add-block-shortcut
feat/update-docs
fix/note-node-zoom-issue
fix/model-runtime-quato-issue
fix/db-lock-timeout
feat/new-tooltip
feat/web-app-sso
chore/optimize-app-workflow-deletion-slow-sql
fix/trace_app_config_app_id_idx
fix/extra-table-tracing-app-config
feat/update-beat-job-time-to-env
fix/index-estimate-error
chore/enterprise-license-status
fix/remove-tsne_position
feat/2p
feat/aws-iam-auth-check
feat/add-flashrank
feat/support-milvus-2.4
feat/add-resource-from-tools
bai
1.7.0
1.6.0
1.5.1
1.5.0
0.15.8
1.3.1
0.15.7
1.3.0
0.15.6
1.2.0
0.15.6-alpha.1
1.1.3
0.15.5
0.10.2-fix1
0.10.0
0.10.0-beta1
0.10.0-beta2
0.10.0-beta3
0.10.1
0.10.2
0.11.0
0.11.1
0.11.2
0.12.0
0.12.1
0.13.0
0.13.1
0.13.2
0.14.0
0.14.1
0.14.2
0.15.0
0.15.1
0.15.2
0.15.3
0.15.4
0.2.1
0.2.2
0.3.0
0.3.1
0.3.10
0.3.11
0.3.12
0.3.13
0.3.14
0.3.15
0.3.16
0.3.17
0.3.18
0.3.19
0.3.2
0.3.20
0.3.21
0.3.22
0.3.23
0.3.24
0.3.25
0.3.26
0.3.27
0.3.28
0.3.29
0.3.3
0.3.30
0.3.31
0.3.31-fix1
0.3.31-fix2
0.3.31-fix3
0.3.32
0.3.33
0.3.34
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.5.0
0.5.1
0.5.10
0.5.11
0.5.11-fix1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.5.9
0.6.0
0.6.0-fix1
0.6.0-preview-workflow.1
0.6.0-preview-workflow.2
0.6.1
0.6.10
0.6.11
0.6.12
0.6.12-fix1
0.6.13
0.6.14
0.6.15
0.6.16
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.7.0
0.7.1
0.7.2
0.7.3
0.8.0
0.8.0-beta1
0.8.1
0.8.2
0.8.3
0.9.0
0.9.1
0.9.1-fix1
0.9.2
1.0.0
1.0.0-beta.1
1.0.1
1.1.0
1.1.1
1.1.2
1.4.0
1.4.1
1.4.2
1.4.3
v0.8.3-fix1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '59d2a8a208'
${ noResults }
gcgj-dify-1.7.0/api/services/mfa_service.py

209 lines
7.1 KiB
Python
Raw Blame History

import base64
import io
import json
import secrets
from datetime import UTC, datetime
import pyotp
import qrcode
from models.account import Account, AccountMFASettings
from models.engine import db
class MFAService:
@staticmethod
def generate_secret() -> str:
"""Generate a new TOTP secret for the user."""
return pyotp.random_base32()
@staticmethod
def generate_backup_codes(count: int = 8) -> list[str]:
"""Generate backup codes for account recovery."""
codes = []
for _ in range(count):
code = secrets.token_hex(4).upper()
codes.append(code)
return codes
@staticmethod
def generate_qr_code(account: Account, secret: str) -> str:
"""Generate QR code for TOTP setup."""
totp = pyotp.TOTP(secret)
provisioning_uri = totp.provisioning_uri(name=account.email, issuer_name="Dify")
# Generate QR code
qr = qrcode.QRCode(
version=1,
error_correction=qrcode.constants.ERROR_CORRECT_L,
box_size=10,
border=4,
)
qr.add_data(provisioning_uri)
qr.make(fit=True)
# Create image
img = qr.make_image(fill_color="black", back_color="white")
# Convert to base64
buffer = io.BytesIO()
img.save(buffer)
img_str = base64.b64encode(buffer.getvalue()).decode()
return f"data:image/png;base64,{img_str}"
@staticmethod
def verify_totp(secret: str, token: str) -> bool:
"""Verify TOTP token."""
if not secret:
return False
try:
totp = pyotp.TOTP(secret)
return totp.verify(token, valid_window=1)
except Exception as e:
print(f"[MFA DEBUG] verify_totp error: {type(e).__name__}: {str(e)}")
return False
@staticmethod
def get_or_create_mfa_settings(account: Account) -> AccountMFASettings:
"""Get or create MFA settings for account."""
mfa_settings = db.session.query(AccountMFASettings).filter_by(account_id=account.id).first()
if not mfa_settings:
mfa_settings = AccountMFASettings(account_id=account.id)
db.session.add(mfa_settings)
db.session.commit()
return mfa_settings
@staticmethod
def verify_backup_code(mfa_settings: AccountMFASettings, code: str) -> bool:
"""Verify and consume backup code."""
if not mfa_settings.backup_codes:
return False
try:
backup_codes = json.loads(mfa_settings.backup_codes)
if code.upper() in backup_codes:
# Remove used backup code
backup_codes.remove(code.upper())
mfa_settings.backup_codes = json.dumps(backup_codes)
db.session.commit()
return True
except json.JSONDecodeError:
pass
return False
@staticmethod
def setup_mfa(account: Account, totp_token: str) -> dict:
"""Setup MFA for account with TOTP verification."""
mfa_settings = MFAService.get_or_create_mfa_settings(account)
if mfa_settings.enabled:
raise ValueError("MFA is already enabled for this account")
if not mfa_settings.secret:
raise ValueError("MFA secret not generated")
# Verify TOTP token
if not MFAService.verify_totp(mfa_settings.secret, totp_token):
raise ValueError("Invalid TOTP token")
# Generate backup codes
backup_codes = MFAService.generate_backup_codes()
# Enable MFA
mfa_settings.enabled = True
mfa_settings.backup_codes = json.dumps(backup_codes)
mfa_settings.setup_at = datetime.now(UTC)
db.session.commit()
return {"backup_codes": backup_codes, "setup_at": mfa_settings.setup_at}
@staticmethod
def disable_mfa(account: Account, password: str) -> bool:
"""Disable MFA for account after password verification."""
from libs.password import compare_password
# Verify password
if account.password is None or not compare_password(password, account.password, account.password_salt):
return False
mfa_settings = db.session.query(AccountMFASettings).filter_by(account_id=account.id).first()
if not mfa_settings:
return True # Already disabled
# Disable MFA
mfa_settings.enabled = False
mfa_settings.secret = None
mfa_settings.backup_codes = None
mfa_settings.setup_at = None
db.session.commit()
return True
@staticmethod
def generate_mfa_setup_data(account: Account) -> dict:
"""Generate MFA setup data including secret and QR code."""
mfa_settings = MFAService.get_or_create_mfa_settings(account)
if mfa_settings.enabled:
raise ValueError("MFA is already enabled for this account")
# Generate new secret
secret = MFAService.generate_secret()
mfa_settings.secret = secret
db.session.commit()
# Generate QR code
qr_code = MFAService.generate_qr_code(account, secret)
return {"secret": secret, "qr_code": qr_code}
@staticmethod
def is_mfa_required(account: Account) -> bool:
"""Check if MFA is required for this account."""
mfa_settings = db.session.query(AccountMFASettings).filter_by(account_id=account.id).first()
return bool(mfa_settings and mfa_settings.enabled and mfa_settings.secret is not None)
@staticmethod
def authenticate_with_mfa(account: Account, token: str) -> bool:
"""Authenticate user with MFA token (TOTP or backup code)."""
print(f"[MFA DEBUG] authenticate_with_mfa called with token: {token}")
mfa_settings = db.session.query(AccountMFASettings).filter_by(account_id=account.id).first()
if not mfa_settings or not mfa_settings.enabled:
print("[MFA DEBUG] MFA not enabled, returning True")
return True
print(f"[MFA DEBUG] MFA enabled, secret: {mfa_settings.secret[:10]}...")
# Try TOTP first
print("[MFA DEBUG] Trying TOTP verification")
if MFAService.verify_totp(mfa_settings.secret, token):
print("[MFA DEBUG] TOTP verification successful")
return True
# Try backup code
print("[MFA DEBUG] Trying backup code verification")
if MFAService.verify_backup_code(mfa_settings, token):
print("[MFA DEBUG] Backup code verification successful")
return True
print("[MFA DEBUG] All verifications failed")
return False
@staticmethod
def get_mfa_status(account: Account) -> dict:
"""Get MFA status for account."""
mfa_settings = db.session.query(AccountMFASettings).filter_by(account_id=account.id).first()
if not mfa_settings:
return {"enabled": False, "setup_at": None, "has_backup_codes": False}
return {
"enabled": mfa_settings.enabled,
"setup_at": mfa_settings.setup_at.isoformat() if mfa_settings.setup_at else None,
"has_backup_codes": mfa_settings.backup_codes is not None,
}
Reference in New Issue View Git Blame Copy Permalink