V4.12.4 features (#5626)

* fix: push again, user select option button and form input radio content overflow (#5601) * fix: push again, user select option button and form input radio content overflow * fix: use useCallback instead of useMemo, fix unnecessary delete * fix: Move the variable inside the component * fix: do not pass valueLabel to MySelect * ui * del collection api adapt * refactor: inherit permission (#5529) * refactor: permission update conflict check function * refactor(permission): app collaborator update api * refactor(permission): support app update collaborator * feat: support fe permission conflict check * refactor(permission): app permission * refactor(permission): dataset permission * refactor(permission): team permission * chore: fe adjust * fix: type error * fix: audit pagiation * fix: tc * chore: initv4130 * fix: app/dataset auth logic * chore: move code * refactor(permission): remove selfPermission * fix: mock * fix: test * fix: app & dataset auth * fix: inherit * test(inheritPermission): test syncChildrenPermission * prompt editor add list plugin (#5620) * perf: search result (#5608) * fix: table size (#5598) * temp: list value * backspace * optimize code --------- Co-authored-by: Archer <545436317@qq.com> Co-authored-by: 伍闲犬 <whoeverimf5@gmail.com> * fix: fe & member list (#5619) * chore: initv4130 * fix: MemberItemCard * fix: MemberItemCard * chore: fe adjust & init script * perf: test code * doc * fix debug variables (#5617) * perf: search result (#5608) * fix: table size (#5598) * fix debug variables * fix --------- Co-authored-by: Archer <545436317@qq.com> Co-authored-by: 伍闲犬 <whoeverimf5@gmail.com> * perf: member ui * fix: inherit bug (#5624) * refactor(permission): remove getClbsWithInfo, which is useless * fix: app list privateApp * fix: get infos * perf(fe): remove delete icon when it is disable in MemberItemCard * fix: dataset private dataset * Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Archer <545436317@qq.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * perf: auto coupon * chore: upgrade script & get infos avatar (#5625) * fix: get infos * chore: initv4130 * feat: support WecomRobot publish, and fix AesKey can not save bug (#5526) * feat: resolve conflicts * fix: add param 'show_publish_wecom' * feat: abstract out WecomCrypto type * doc: wecom robot document * fix: solve instability in AI output * doc: update some pictures * feat: remove functions from request.ts to chat.ts and toolCall.ts * doc: wecom robot doc update * fix * delete unused code * doc: update version and prompt * feat: remove wecom crypto, delete wecom code in workflow * feat: delete unused codes --------- Co-authored-by: heheer <zhiyu44@qq.com> * remove test * rename init shell * feat: collection page store * reload sandbox * pysandbox * remove log * chore: remove useless code (#5629) * chore: remove useless code * fix: checkConflict * perf: support hidden type for RoleList * fix: copy node * update doc * fix(permission): some bug (#5632) * fix: app/dataset list * fix: inherit bug * perf: del app;i18n;save chat * fix: test * i18n * fix: sumper overflow return OwnerRoleVal (#5633) * remove invalid code * fix: scroll * fix: objectId * update next * update package * object id * mock redis * feat: add redis append to resolve wecom stream response (#5643) * feat: resolve conflicts * fix: add param 'show_publish_wecom' * feat: abstract out WecomCrypto type * doc: wecom robot document * fix: solve instability in AI output * doc: update some pictures * feat: remove functions from request.ts to chat.ts and toolCall.ts * doc: wecom robot doc update * fix * delete unused code * doc: update version and prompt * feat: remove wecom crypto, delete wecom code in workflow * feat: delete unused codes * feat: add redis append method --------- Co-authored-by: heheer <zhiyu44@qq.com> * cache per * fix(test): init team sub when creating mocked user (#5646) * fix: button is not vertically centered (#5647) * doc * fix: gridFs objectId (#5649) --------- Co-authored-by: Zeng Qingwen <143274079+fishwww-ww@users.noreply.github.com> Co-authored-by: Finley Ge <32237950+FinleyGe@users.noreply.github.com> Co-authored-by: heheer <heheer@sealos.io> Co-authored-by: 伍闲犬 <whoeverimf5@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: heheer <zhiyu44@qq.com>
2025-10-17 08:37:59 +00:00 · 2025-09-15 20:02:54 +08:00
parent c8934e3d22
commit 2ed1545eb5
187 changed files with 3701 additions and 2221 deletions
--- a/packages/service/support/permission/auth/common.ts
+++ b/packages/service/support/permission/auth/common.ts
@@ -1,7 +1,13 @@
-import { parseHeaderCert } from '../controller';
+import type { ReqHeaderAuthType } from '../type';
 import { type AuthModeType } from '../type';
 import { SERVICE_LOCAL_HOST } from '../../../common/system/tools';
 import { type ApiRequestProps } from '../../../type/next';
+import type { NextApiResponse } from 'next';
+import Cookie from 'cookie';
+import { ERROR_ENUM } from '@fastgpt/global/common/error/errorCode';
+import { authUserSession } from '../../../support/user/session';
+import { authOpenApiKey } from '../../../support/openapi/auth';
+import { AuthUserTypeEnum } from '@fastgpt/global/support/permission/constant';

 export const authCert = async (props: AuthModeType) => {
  const result = await parseHeaderCert(props);
@@ -19,3 +25,149 @@ export const authRequestFromLocal = ({ req }: { req: ApiRequestProps }) => {
    return Promise.reject('Invalid request');
  }
 };
+
+export async function parseHeaderCert({
+  req,
+  authToken = false,
+  authRoot = false,
+  authApiKey = false
+}: AuthModeType) {
+  // parse jwt
+  async function authCookieToken(cookie?: string, token?: string) {
+    // 获取 cookie
+    const cookies = Cookie.parse(cookie || '');
+    const cookieToken = token || cookies[TokenName];
+
+    if (!cookieToken) {
+      return Promise.reject(ERROR_ENUM.unAuthorization);
+    }
+
+    return { ...(await authUserSession(cookieToken)), sessionId: cookieToken };
+  }
+  // from authorization get apikey
+  async function parseAuthorization(authorization?: string) {
+    if (!authorization) {
+      return Promise.reject(ERROR_ENUM.unAuthorization);
+    }
+
+    // Bearer fastgpt-xxxx-appId
+    const auth = authorization.split(' ')[1];
+    if (!auth) {
+      return Promise.reject(ERROR_ENUM.unAuthorization);
+    }
+
+    const { apikey, appId: authorizationAppid = '' } = await (async () => {
+      const arr = auth.split('-');
+      // abandon
+      if (arr.length === 3) {
+        return {
+          apikey: `${arr[0]}-${arr[1]}`,
+          appId: arr[2]
+        };
+      }
+      if (arr.length === 2) {
+        return {
+          apikey: auth
+        };
+      }
+      return Promise.reject(ERROR_ENUM.unAuthorization);
+    })();
+
+    // auth apikey
+    const { teamId, tmbId, appId: apiKeyAppId = '', sourceName } = await authOpenApiKey({ apikey });
+
+    return {
+      uid: '',
+      teamId,
+      tmbId,
+      apikey,
+      appId: apiKeyAppId || authorizationAppid,
+      sourceName
+    };
+  }
+  // root user
+  async function parseRootKey(rootKey?: string) {
+    if (!rootKey || !process.env.ROOT_KEY || rootKey !== process.env.ROOT_KEY) {
+      return Promise.reject(ERROR_ENUM.unAuthorization);
+    }
+  }
+
+  const { cookie, token, rootkey, authorization } = (req.headers || {}) as ReqHeaderAuthType;
+
+  const { uid, teamId, tmbId, appId, openApiKey, authType, isRoot, sourceName, sessionId } =
+    await (async () => {
+      if (authApiKey && authorization) {
+        // apikey from authorization
+        const authResponse = await parseAuthorization(authorization);
+        return {
+          uid: authResponse.uid,
+          teamId: authResponse.teamId,
+          tmbId: authResponse.tmbId,
+          appId: authResponse.appId,
+          openApiKey: authResponse.apikey,
+          authType: AuthUserTypeEnum.apikey,
+          sourceName: authResponse.sourceName
+        };
+      }
+      if (authToken && (token || cookie)) {
+        // user token(from fastgpt web)
+        const res = await authCookieToken(cookie, token);
+
+        return {
+          uid: res.userId,
+          teamId: res.teamId,
+          tmbId: res.tmbId,
+          appId: '',
+          openApiKey: '',
+          authType: AuthUserTypeEnum.token,
+          isRoot: res.isRoot,
+          sessionId: res.sessionId
+        };
+      }
+      if (authRoot && rootkey) {
+        await parseRootKey(rootkey);
+        // root user
+        return {
+          uid: '',
+          teamId: '',
+          tmbId: '',
+          appId: '',
+          openApiKey: '',
+          authType: AuthUserTypeEnum.root,
+          isRoot: true
+        };
+      }
+
+      return Promise.reject(ERROR_ENUM.unAuthorization);
+    })();
+
+  if (!authRoot && (!teamId || !tmbId)) {
+    return Promise.reject(ERROR_ENUM.unAuthorization);
+  }
+
+  return {
+    userId: String(uid),
+    teamId: String(teamId),
+    tmbId: String(tmbId),
+    appId,
+    authType,
+    sourceName,
+    apikey: openApiKey,
+    isRoot: !!isRoot,
+    sessionId
+  };
+}
+
+/* set cookie */
+export const TokenName = 'fastgpt_token';
+export const setCookie = (res: NextApiResponse, token: string) => {
+  res.setHeader(
+    'Set-Cookie',
+    `${TokenName}=${token}; Path=/; HttpOnly; Max-Age=604800; Samesite=Strict;`
+  );
+};
+
+/* clear cookie */
+export const clearCookie = (res: NextApiResponse) => {
+  res.setHeader('Set-Cookie', `${TokenName}=; Path=/; Max-Age=0`);
+};
--- a/packages/service/support/permission/auth/file.ts
+++ b/packages/service/support/permission/auth/file.ts
@@ -1,11 +1,15 @@
 import { type AuthModeType, type AuthResponseType } from '../type';
 import { type DatasetFileSchema } from '@fastgpt/global/core/dataset/type';
-import { parseHeaderCert } from '../controller';
 import { getFileById } from '../../../common/file/gridfs/controller';
-import { BucketNameEnum } from '@fastgpt/global/common/file/constants';
+import { BucketNameEnum, bucketNameMap } from '@fastgpt/global/common/file/constants';
 import { CommonErrEnum } from '@fastgpt/global/common/error/code/common';
 import { OwnerPermissionVal, ReadRoleVal } from '@fastgpt/global/support/permission/constant';
 import { Permission } from '@fastgpt/global/support/permission/controller';
+import type { FileTokenQuery } from '@fastgpt/global/common/file/type';
+import { addMinutes } from 'date-fns';
+import { parseHeaderCert } from './common';
+import jwt from 'jsonwebtoken';
+import { ERROR_ENUM } from '@fastgpt/global/common/error/errorCode';

 export const authCollectionFile = async ({
  fileId,
@@ -46,3 +50,45 @@ export const authCollectionFile = async ({
    file
  };
 };
+
+/* file permission */
+export const createFileToken = (data: FileTokenQuery) => {
+  if (!process.env.FILE_TOKEN_KEY) {
+    return Promise.reject('System unset FILE_TOKEN_KEY');
+  }
+
+  const expireMinutes =
+    data.customExpireMinutes ?? bucketNameMap[data.bucketName].previewExpireMinutes;
+  const expiredTime = Math.floor(addMinutes(new Date(), expireMinutes).getTime() / 1000);
+
+  const key = (process.env.FILE_TOKEN_KEY as string) ?? 'filetoken';
+  const token = jwt.sign(
+    {
+      ...data,
+      exp: expiredTime
+    },
+    key
+  );
+  return Promise.resolve(token);
+};
+
+export const authFileToken = (token?: string) =>
+  new Promise<FileTokenQuery>((resolve, reject) => {
+    if (!token) {
+      return reject(ERROR_ENUM.unAuthFile);
+    }
+    const key = (process.env.FILE_TOKEN_KEY as string) ?? 'filetoken';
+
+    jwt.verify(token, key, (err, decoded: any) => {
+      if (err || !decoded.bucketName || !decoded?.teamId || !decoded?.fileId) {
+        reject(ERROR_ENUM.unAuthFile);
+        return;
+      }
+      resolve({
+        bucketName: decoded.bucketName,
+        teamId: decoded.teamId,
+        uid: decoded.uid,
+        fileId: decoded.fileId
+      });
+    });
+  });
--- a/packages/service/support/permission/auth/openapi.ts
+++ b/packages/service/support/permission/auth/openapi.ts
@@ -1,11 +1,11 @@
 import { type AuthModeType, type AuthResponseType } from '../type';
 import { type OpenApiSchema } from '@fastgpt/global/support/openapi/type';
-import { parseHeaderCert } from '../controller';
 import { getTmbInfoByTmbId } from '../../user/team/controller';
 import { MongoOpenApi } from '../../openapi/schema';
 import { OpenApiErrEnum } from '@fastgpt/global/common/error/code/openapi';
 import { OwnerPermissionVal } from '@fastgpt/global/support/permission/constant';
 import { authAppByTmbId } from '../app/auth';
+import { parseHeaderCert } from './common';

 export async function authOpenApiKeyCrud({
  id,