fix: team token auth (#6734)

* fix: team token auth * fix: Authentication escape * fix: cr * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * .claude doc --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-05-06 01:02:54 +08:00 · 2026-04-09 18:55:10 +08:00
parent e3b5b3788f
commit cd75ee160e
23 changed files with 190 additions and 90 deletions
@@ -24,7 +24,7 @@ async function handler(
    appId,
    per: WritePermissionVal
  });
-  const result = await MongoAppVersion.findById(versionId).lean();
+  const result = await MongoAppVersion.findOne({ _id: versionId, appId }).lean();

  if (!result) {
    return Promise.reject('version not found');
@@ -14,12 +14,7 @@ async function handler(req: ApiRequestProps<UpdateAppVersionBody>) {
  const { appId, versionId, versionName } = req.body;
  await authApp({ appId, req, per: WritePermissionVal, authToken: true });

-  await MongoAppVersion.findByIdAndUpdate(
-    { _id: versionId },
-    {
-      versionName
-    }
-  );
+  await MongoAppVersion.updateOne({ _id: versionId, appId }, { $set: { versionName } });

  return {};
 }
@@ -13,6 +13,7 @@ import {
 import { parsePaginationRequest } from '@fastgpt/service/common/api/pagination';
 import { addMonths } from 'date-fns';
 import { ObjectIdSchema } from '@fastgpt/global/common/type/mongo';
+import { MongoApp } from '@fastgpt/service/core/app/schema';

 /* get chat histories list */
 export async function handler(
@@ -46,7 +47,19 @@ export async function handler(
      };
    }
    if (appId && teamId && teamToken) {
-      const { uid } = await authTeamSpaceToken({ teamId, teamToken });
+      const { uid, tags } = await authTeamSpaceToken({ teamId, teamToken });
+
+      const app = await MongoApp.findOne({
+        _id: appId,
+        teamId,
+        $or: [
+          { teamTags: { $size: 0 } },
+          { teamTags: { $exists: false } },
+          { teamTags: { $in: tags } }
+        ]
+      }).lean();
+      if (!app) return undefined;
+
      return {
        appId,
        outLinkUid: uid,
@@ -22,23 +22,32 @@ async function handler(req: ApiRequestProps<InitTeamChatProps>, res: NextApiResp
    return Promise.reject('teamId, appId, teamToken are required');
  }

-  const { uid } = await authTeamSpaceToken({
+  const { uid, tags } = await authTeamSpaceToken({
    teamId,
    teamToken
  });

-  const [team, chat, app] = await Promise.all([
+  const [team, app] = await Promise.all([
    MongoTeam.findById(teamId, 'name avatar').lean(),
-    MongoChat.findOne({ appId, chatId }).lean(),
-    MongoApp.findById(appId).lean()
+    MongoApp.findOne({
+      _id: appId,
+      teamId,
+      $or: [
+        { teamTags: { $size: 0 } },
+        { teamTags: { $exists: false } },
+        { teamTags: { $in: tags } }
+      ]
+    }).lean()
  ]);

  if (!app) {
    return Promise.reject(AppErrEnum.unExist);
  }

+  const chat = chatId ? await MongoChat.findOne({ appId, chatId }).lean() : null;
+
  // auth chat permission
-  if (chat && chat.outLinkUid !== uid) {
+  if (chat && (String(chat.teamId) !== teamId || chat.outLinkUid !== uid)) {
    return Promise.reject(ChatErrEnum.unAuthChat);
  }

@@ -602,17 +602,21 @@ const authTeamSpaceChat = async ({
  teamToken: string;
  chatId?: string;
 }): Promise<AuthResponseType> => {
-  const { uid } = await authTeamSpaceToken({
+  const { uid, tags } = await authTeamSpaceToken({
    teamId,
    teamToken
  });

-  const app = await MongoApp.findById(appId).lean();
+  const app = await MongoApp.findOne({
+    _id: appId,
+    teamId,
+    $or: [{ teamTags: { $size: 0 } }, { teamTags: { $exists: false } }, { teamTags: { $in: tags } }]
+  }).lean();
  if (!app) {
-    return Promise.reject('app is empty');
+    return Promise.reject(ChatErrEnum.unAuthChat);
  }

-  const chat = await MongoChat.findOne({ appId, chatId }).lean();
+  const chat = chatId ? await MongoChat.findOne({ appId, chatId }).lean() : null;

  if (chat && (String(chat.teamId) !== teamId || chat.outLinkUid !== uid)) {
    return Promise.reject(ChatErrEnum.unAuthChat);
@@ -660,7 +664,7 @@ const authHeaderRequest = async ({
          'Key is error. You need to use the app key rather than the account key.'
        );
      }
-      const app = await MongoApp.findById(currentAppId);
+      const app = await MongoApp.findOne({ _id: currentAppId, teamId });

      if (!app) {
        return Promise.reject('app is empty');
@@ -575,17 +575,21 @@ const authTeamSpaceChat = async ({
  teamToken: string;
  chatId?: string;
 }): Promise<AuthResponseType> => {
-  const { uid } = await authTeamSpaceToken({
+  const { uid, tags } = await authTeamSpaceToken({
    teamId,
    teamToken
  });

-  const app = await MongoApp.findById(appId).lean();
+  const app = await MongoApp.findOne({
+    _id: appId,
+    teamId,
+    $or: [{ teamTags: { $size: 0 } }, { teamTags: { $exists: false } }, { teamTags: { $in: tags } }]
+  }).lean();
  if (!app) {
-    return Promise.reject('app is empty');
+    return Promise.reject(ChatErrEnum.unAuthChat);
  }

-  const chat = await MongoChat.findOne({ appId, chatId }).lean();
+  const chat = chatId ? await MongoChat.findOne({ appId, chatId }).lean() : null;

  if (chat && (String(chat.teamId) !== teamId || chat.outLinkUid !== uid)) {
    return Promise.reject(ChatErrEnum.unAuthChat);
@@ -632,7 +636,7 @@ const authHeaderRequest = async ({
          'Key is error. You need to use the app key rather than the account key.'
        );
      }
-      const app = await MongoApp.findById(currentAppId);
+      const app = await MongoApp.findOne({ _id: currentAppId, teamId });

      if (!app) {
        return Promise.reject('app is empty');
@@ -14,6 +14,7 @@ import { ChatRoleEnum } from '@fastgpt/global/core/chat/constants';
 import type { HelperBotTypeEnum } from '@fastgpt/global/core/chat/helperBot/type';
 import { MongoHelperBotChat } from '@fastgpt/service/core/chat/HelperBot/chatSchema';
 import { authCert } from '@fastgpt/service/support/permission/auth/common';
+import { MongoApp } from '@fastgpt/service/core/app/schema';

 /* 
  检查chat的权限：
@@ -69,7 +70,28 @@ export async function authChatCrud({
  if (!appId) return Promise.reject(ChatErrEnum.unAuthChat);

  if (spaceTeamId && teamToken) {
-    const { uid, tmbId } = await authTeamSpaceToken({ teamId: spaceTeamId, teamToken });
+    const { uid, tmbId, tags } = await authTeamSpaceToken({
+      teamId: spaceTeamId,
+      teamToken
+    });
+
+    // Verify app belongs to the authenticated team and tag-based access
+    const app = await MongoApp.findOne(
+      {
+        _id: appId,
+        teamId: spaceTeamId,
+        $or: [
+          { teamTags: { $size: 0 } },
+          { teamTags: { $exists: false } },
+          { teamTags: { $in: tags } }
+        ]
+      },
+      'teamId'
+    ).lean();
+    if (!app) {
+      return Promise.reject(ChatErrEnum.unAuthChat);
+    }
+
    if (!chatId) {
      return {
        teamId: spaceTeamId,
@@ -91,7 +113,8 @@ export async function authChatCrud({
      };
    }

-    if (chat.outLinkUid !== uid) return Promise.reject(ChatErrEnum.unAuthChat);
+    if (String(chat.teamId) !== spaceTeamId || chat.outLinkUid !== uid)
+      return Promise.reject(ChatErrEnum.unAuthChat);

    return {
      teamId: spaceTeamId,
@@ -16,14 +16,15 @@ export async function authTeamSpaceToken({
  teamId: string;
  teamToken: string;
 }) {
-  // get outLink and app
-  const [{ uid }, member] = await Promise.all([
+  // authenticate the team token, get uid/tags, and load the owner member
+  const [{ uid, tags }, member] = await Promise.all([
    authTeamTagToken({ teamId, teamToken }),
    MongoTeamMember.findOne({ teamId, role: TeamMemberRoleEnum.owner }, 'tmbId').lean()
  ]);

  return {
    uid,
-    tmbId: member?._id!
+    tmbId: member?._id!,
+    tags
  };
 }
@@ -9,6 +9,7 @@ import { DatasetErrEnum } from '@fastgpt/global/common/error/code/dataset';
 import { authApp } from '@fastgpt/service/support/permission/app/auth';
 import { authOutLink } from '@/service/support/permission/auth/outLink';
 import { authTeamSpaceToken } from '@/service/support/permission/auth/team';
+import { MongoApp } from '@fastgpt/service/core/app/schema';
 import type { ChatHistoryItemResType } from '@fastgpt/global/core/chat/type';
 import { getFlatAppResponses } from '@fastgpt/global/core/chat/utils';
 import { FlowNodeTypeEnum } from '@fastgpt/global/core/workflow/node/constant';
@@ -35,6 +36,16 @@ vi.mock('@fastgpt/service/core/chat/chatItemResponseSchema', () => ({
  }
 }));

+vi.mock('@fastgpt/service/core/app/schema', async (importOriginal) => {
+  const actual = await importOriginal<typeof import('@fastgpt/service/core/app/schema')>();
+  return {
+    ...actual,
+    MongoApp: {
+      findOne: vi.fn()
+    }
+  };
+});
+
 vi.mock('@fastgpt/service/support/permission/app/auth');
 vi.mock('@/service/support/permission/auth/outLink');
 vi.mock('@/service/support/permission/auth/team');
@@ -118,8 +129,12 @@ describe('authChatCrud', () => {
    it('should auth with teamId and teamToken without chatId', async () => {
      vi.mocked(authTeamSpaceToken).mockResolvedValue({
        uid: 'user1',
-        tmbId: 'tmb1'
+        tmbId: 'tmb1',
+        tags: ['tag1']
      });
+      vi.mocked(MongoApp.findOne).mockReturnValue({
+        lean: () => Promise.resolve({ _id: 'app1', teamId: 'team1' })
+      } as any);

      const result = await authChatCrud({
        appId: 'app1',
@@ -142,6 +157,27 @@ describe('authChatCrud', () => {
      });
    });

+    it('should reject if app does not belong to team or tags mismatch', async () => {
+      vi.mocked(authTeamSpaceToken).mockResolvedValue({
+        uid: 'user1',
+        tmbId: 'tmb1',
+        tags: ['tag1']
+      });
+      vi.mocked(MongoApp.findOne).mockReturnValue({
+        lean: () => Promise.resolve(null)
+      } as any);
+
+      await expect(
+        authChatCrud({
+          appId: 'app1',
+          teamId: 'team1',
+          teamToken: 'token1',
+          req: {} as any,
+          authToken: true
+        })
+      ).rejects.toBe(ChatErrEnum.unAuthChat);
+    });
+
    it('should auth with teamId and teamToken with valid chatId', async () => {
      const mockChat = {
        appId: 'app1',
@@ -151,8 +187,12 @@ describe('authChatCrud', () => {

      vi.mocked(authTeamSpaceToken).mockResolvedValue({
        uid: 'user1',
-        tmbId: 'tmb1'
+        tmbId: 'tmb1',
+        tags: ['tag1']
      });
+      vi.mocked(MongoApp.findOne).mockReturnValue({
+        lean: () => Promise.resolve({ _id: 'app1', teamId: 'team1' })
+      } as any);
      vi.mocked(MongoChat.findOne).mockReturnValue({
        lean: () => Promise.resolve(mockChat)
      } as any);
@@ -183,8 +223,12 @@ describe('authChatCrud', () => {
    it('should handle missing chat for teamDomain auth', async () => {
      vi.mocked(authTeamSpaceToken).mockResolvedValue({
        uid: 'user1',
-        tmbId: 'tmb1'
+        tmbId: 'tmb1',
+        tags: ['tag1']
      });
+      vi.mocked(MongoApp.findOne).mockReturnValue({
+        lean: () => Promise.resolve({ _id: 'app1', teamId: 'team1' })
+      } as any);
      vi.mocked(MongoChat.findOne).mockReturnValue({
        lean: () => Promise.resolve(null)
      } as any);
@@ -220,8 +264,12 @@ describe('authChatCrud', () => {

      vi.mocked(authTeamSpaceToken).mockResolvedValue({
        uid: 'user1',
-        tmbId: 'tmb1'
+        tmbId: 'tmb1',
+        tags: ['tag1']
      });
+      vi.mocked(MongoApp.findOne).mockReturnValue({
+        lean: () => Promise.resolve({ _id: 'app1', teamId: 'team1' })
+      } as any);
      vi.mocked(MongoChat.findOne).mockReturnValue({
        lean: () => Promise.resolve(mockChat)
      } as any);