mirror of
https://github.com/labring/FastGPT.git
synced 2025-07-24 13:53:50 +00:00
e9d52ada73
* chore(ui): login page & workflow page (#3046) * login page & number input & multirow select & llm select * workflow * adjust nodes * New file upload (#3058) * feat: toolNode aiNode readFileNode adapt new version * update docker-compose * update tip * feat: adapt new file version * perf: file input * fix: ts * feat: add chat history time label (#3024) * feat:add chat and logs time * feat: add chat history time label * code perf * code perf --------- Co-authored-by: 勤劳上班的卑微小张 <jiazhan.zhang@ggimage.com> * add chatType (#3060) * pref: slow query of full text search (#3044) * Adapt findLast api;perf: markdown zh format. (#3066) * perf: context code * fix: adapt findLast api * perf: commercial plugin run error * perf: markdown zh format * perf: dockerfile proxy (#3067) * fix ui (#3065) * fix ui * fix * feat: support array reference multi-select (#3041) * feat: support array reference multi-select * fix build * fix * fix loop multi-select * adjust condition * fix get value * array and non-array conversion * fix plugin input * merge func * feat: iframe code block;perf: workflow selector type (#3076) * feat: iframe code block * perf: workflow selector type * node pluginoutput check (#3074) * feat: View will move when workflow check error;fix: ui refresh error when continuous file upload (#3077) * fix: plugin output check * fix: ui refresh error when continuous file upload * feat: View will move when workflow check error * add dispatch try catch (#3075) * perf: workflow context split (#3083) * perf: workflow context split * perf: context * 4.8.13 test (#3085) * perf: workflow node ui * chat iframe url * feat: support sub route config (#3071) * feat: support sub route config * dockerfile * fix upload * delete unused code * 4.8.13 test (#3087) * fix: image expired * fix: datacard navbar ui * perf: build action * fix: workflow file upload refresh (#3088) * fix: http tool response (#3097) * loop node dynamic height (#3092) * loop node dynamic height * fix * fix * feat: support push chat log (#3093) * feat: custom uid/metadata * to: custom info * fix: chat push latest * feat: add chat log envs * refactor: move timer to pushChatLog * fix: using precise log --------- Co-authored-by: Finley Ge <m13203533462@163.com> * 4.8.13 test (#3098) * perf: loop node refresh * rename context * comment * fix: ts * perf: push chat log * array reference check & node ui (#3100) * feat: loop start add index (#3101) * feat: loop start add index * update doc * 4.8.13 test (#3102) * fix: loop index;edge parent check * perf: reference invalid check * fix: ts * fix: plugin select files and ai response check (#3104) * fix: plugin select files and ai response check * perf: text editor selector;tool call tip;remove invalid image url; * perf: select file * perf: drop files * feat: source id prefix env (#3103) * 4.8.13 test (#3106) * perf: select file * perf: drop files * perf: env template * 4.8.13 test (#3107) * perf: select file * perf: drop files * fix: imple mode adapt files * perf: push chat log (#3109) * fix: share page load title error (#3111) * 4.8.13 perf (#3112) * fix: share page load title error * update file input doc * perf: auto add file urls * perf: auto ser loop node offset height * 4.8.13 test (#3117) * perf: plugin * updat eaction * feat: add more share config (#3120) * feat: add more share config * add i18n en * fix: missing subroute (#3121) * perf: outlink config (#3128) * update action * perf: outlink config * fix: ts (#3129) * 更新 docSite 文档内容 (#3131) * fix: null pointer (#3130) * fix: null pointer * perf: not input text * update doc url * perf: outlink default value (#3134) * update doc (#3136) * 4.8.13 test (#3137) * update doc * perf: completions chat api * Restore docSite content based on upstream/4.8.13-dev (#3138) * Restore docSite content based on upstream/4.8.13-dev * 4813.md缺少更正 * update doc (#3141) --------- Co-authored-by: heheer <heheer@sealos.io> Co-authored-by: papapatrick <109422393+Patrickill@users.noreply.github.com> Co-authored-by: 勤劳上班的卑微小张 <jiazhan.zhang@ggimage.com> Co-authored-by: Finley Ge <32237950+FinleyGe@users.noreply.github.com> Co-authored-by: a.e. <49438478+I-Info@users.noreply.github.com> Co-authored-by: Finley Ge <m13203533462@163.com> Co-authored-by: Jiangween <145003935+Jiangween@users.noreply.github.com>
458 lines
11 KiB
TypeScript
458 lines
11 KiB
TypeScript
import Cookie from 'cookie';
|
|
import { ERROR_ENUM } from '@fastgpt/global/common/error/errorCode';
|
|
import jwt from 'jsonwebtoken';
|
|
import { NextApiResponse } from 'next';
|
|
import type { AuthModeType, ReqHeaderAuthType } from './type.d';
|
|
import { AuthUserTypeEnum, PerResourceTypeEnum } from '@fastgpt/global/support/permission/constant';
|
|
import { authOpenApiKey } from '../openapi/auth';
|
|
import { FileTokenQuery } from '@fastgpt/global/common/file/type';
|
|
import { MongoResourcePermission } from './schema';
|
|
import { ClientSession } from 'mongoose';
|
|
import {
|
|
PermissionValueType,
|
|
ResourcePermissionType,
|
|
ResourcePerWithGroup,
|
|
ResourcePerWithTmbWithUser
|
|
} from '@fastgpt/global/support/permission/type';
|
|
import { bucketNameMap } from '@fastgpt/global/common/file/constants';
|
|
import { addMinutes } from 'date-fns';
|
|
import { getGroupsByTmbId } from './memberGroup/controllers';
|
|
import { Permission } from '@fastgpt/global/support/permission/controller';
|
|
import { ParentIdType } from '@fastgpt/global/common/parentFolder/type';
|
|
import { RequireOnlyOne } from '@fastgpt/global/common/type/utils';
|
|
import { CommonErrEnum } from '@fastgpt/global/common/error/code/common';
|
|
|
|
/** get resource permission for a team member
|
|
* If there is no permission for the team member, it will return undefined
|
|
* @param resourceType: PerResourceTypeEnum
|
|
* @param teamId
|
|
* @param tmbId
|
|
* @param resourceId
|
|
* @returns PermissionValueType | undefined
|
|
*/
|
|
export const getResourcePermission = async ({
|
|
resourceType,
|
|
teamId,
|
|
tmbId,
|
|
resourceId
|
|
}: {
|
|
teamId: string;
|
|
tmbId: string;
|
|
} & (
|
|
| {
|
|
resourceType: 'team';
|
|
resourceId?: undefined;
|
|
}
|
|
| {
|
|
resourceType: Omit<PerResourceTypeEnum, 'team'>;
|
|
resourceId: string;
|
|
}
|
|
)): Promise<PermissionValueType | undefined> => {
|
|
// Personal permission has the highest priority
|
|
const tmbPer = (
|
|
await MongoResourcePermission.findOne(
|
|
{
|
|
resourceType,
|
|
teamId,
|
|
resourceId,
|
|
tmbId
|
|
},
|
|
'permission'
|
|
).lean()
|
|
)?.permission;
|
|
|
|
// could be 0
|
|
if (tmbPer !== undefined) {
|
|
return tmbPer;
|
|
}
|
|
|
|
// If there is no personal permission, get the group permission
|
|
const groupIdList = (await getGroupsByTmbId({ tmbId, teamId })).map((item) => item._id);
|
|
|
|
if (groupIdList.length === 0) {
|
|
return undefined;
|
|
}
|
|
|
|
// get the maximum permission of the group
|
|
const pers = (
|
|
await MongoResourcePermission.find(
|
|
{
|
|
teamId,
|
|
resourceType,
|
|
groupId: {
|
|
$in: groupIdList
|
|
},
|
|
resourceId
|
|
},
|
|
'permission'
|
|
).lean()
|
|
).map((item) => item.permission);
|
|
|
|
const groupPer = getGroupPer(pers);
|
|
|
|
return groupPer;
|
|
};
|
|
|
|
/* 仅取 members 不取 groups */
|
|
export async function getResourceAllClbs({
|
|
resourceId,
|
|
teamId,
|
|
resourceType,
|
|
session
|
|
}: {
|
|
teamId: string;
|
|
session?: ClientSession;
|
|
} & (
|
|
| {
|
|
resourceType: 'team';
|
|
resourceId?: undefined;
|
|
}
|
|
| {
|
|
resourceType: Omit<PerResourceTypeEnum, 'team'>;
|
|
resourceId?: string | null;
|
|
}
|
|
)): Promise<ResourcePermissionType[]> {
|
|
return MongoResourcePermission.find(
|
|
{
|
|
resourceType: resourceType,
|
|
teamId: teamId,
|
|
resourceId,
|
|
groupId: {
|
|
$exists: false
|
|
}
|
|
},
|
|
null,
|
|
{
|
|
session
|
|
}
|
|
).lean();
|
|
}
|
|
|
|
export async function getResourceClbsAndGroups({
|
|
resourceId,
|
|
resourceType,
|
|
teamId,
|
|
session
|
|
}: {
|
|
resourceId: ParentIdType;
|
|
resourceType: Omit<`${PerResourceTypeEnum}`, 'team'>;
|
|
teamId: string;
|
|
session: ClientSession;
|
|
}) {
|
|
return MongoResourcePermission.find(
|
|
{
|
|
resourceId,
|
|
resourceType,
|
|
teamId
|
|
},
|
|
undefined,
|
|
{ session }
|
|
).lean();
|
|
}
|
|
|
|
export const getClbsAndGroupsWithInfo = async ({
|
|
resourceId,
|
|
resourceType,
|
|
teamId
|
|
}: {
|
|
resourceId: ParentIdType;
|
|
resourceType: Omit<`${PerResourceTypeEnum}`, 'team'>;
|
|
teamId: string;
|
|
}) =>
|
|
Promise.all([
|
|
(await MongoResourcePermission.find({
|
|
teamId,
|
|
resourceId,
|
|
resourceType,
|
|
tmbId: {
|
|
$exists: true
|
|
}
|
|
}).populate({
|
|
path: 'tmbId',
|
|
select: 'name userId',
|
|
populate: {
|
|
path: 'userId',
|
|
select: 'avatar'
|
|
}
|
|
})) as ResourcePerWithTmbWithUser[],
|
|
(await MongoResourcePermission.find({
|
|
teamId,
|
|
resourceId,
|
|
resourceType,
|
|
groupId: {
|
|
$exists: true
|
|
}
|
|
}).populate({
|
|
path: 'groupId',
|
|
select: 'name avatar'
|
|
})) as ResourcePerWithGroup[]
|
|
]);
|
|
|
|
export const delResourcePermissionById = (id: string) => {
|
|
return MongoResourcePermission.findByIdAndRemove(id);
|
|
};
|
|
export const delResourcePermission = ({
|
|
session,
|
|
tmbId,
|
|
groupId,
|
|
...props
|
|
}: {
|
|
resourceType: PerResourceTypeEnum;
|
|
teamId: string;
|
|
resourceId: string;
|
|
session?: ClientSession;
|
|
tmbId?: string;
|
|
groupId?: string;
|
|
}) => {
|
|
// tmbId or groupId only one and not both
|
|
if (!!tmbId === !!groupId) {
|
|
return Promise.reject(CommonErrEnum.missingParams);
|
|
}
|
|
return MongoResourcePermission.deleteOne(
|
|
{
|
|
...(tmbId ? { tmbId } : {}),
|
|
...(groupId ? { groupId } : {}),
|
|
...props
|
|
},
|
|
{ session }
|
|
);
|
|
};
|
|
|
|
/* 下面代码等迁移 */
|
|
/* create token */
|
|
export function createJWT(user: {
|
|
_id?: string;
|
|
team?: { teamId?: string; tmbId: string };
|
|
isRoot?: boolean;
|
|
}) {
|
|
const key = process.env.TOKEN_KEY as string;
|
|
const token = jwt.sign(
|
|
{
|
|
userId: String(user._id),
|
|
teamId: String(user.team?.teamId),
|
|
tmbId: String(user.team?.tmbId),
|
|
isRoot: user.isRoot,
|
|
exp: Math.floor(Date.now() / 1000) + 60 * 60 * 24 * 7
|
|
},
|
|
key
|
|
);
|
|
return token;
|
|
}
|
|
|
|
// auth token
|
|
export function authJWT(token: string) {
|
|
return new Promise<{
|
|
userId: string;
|
|
teamId: string;
|
|
tmbId: string;
|
|
isRoot: boolean;
|
|
}>((resolve, reject) => {
|
|
const key = process.env.TOKEN_KEY as string;
|
|
|
|
jwt.verify(token, key, function (err, decoded: any) {
|
|
if (err || !decoded?.userId) {
|
|
reject(ERROR_ENUM.unAuthorization);
|
|
return;
|
|
}
|
|
|
|
resolve({
|
|
userId: decoded.userId,
|
|
teamId: decoded.teamId || '',
|
|
tmbId: decoded.tmbId,
|
|
isRoot: decoded.isRoot
|
|
});
|
|
});
|
|
});
|
|
}
|
|
|
|
export async function parseHeaderCert({
|
|
req,
|
|
authToken = false,
|
|
authRoot = false,
|
|
authApiKey = false
|
|
}: AuthModeType) {
|
|
// parse jwt
|
|
async function authCookieToken(cookie?: string, token?: string) {
|
|
// 获取 cookie
|
|
const cookies = Cookie.parse(cookie || '');
|
|
const cookieToken = token || cookies[TokenName];
|
|
|
|
if (!cookieToken) {
|
|
return Promise.reject(ERROR_ENUM.unAuthorization);
|
|
}
|
|
|
|
return await authJWT(cookieToken);
|
|
}
|
|
// from authorization get apikey
|
|
async function parseAuthorization(authorization?: string) {
|
|
if (!authorization) {
|
|
return Promise.reject(ERROR_ENUM.unAuthorization);
|
|
}
|
|
|
|
// Bearer fastgpt-xxxx-appId
|
|
const auth = authorization.split(' ')[1];
|
|
if (!auth) {
|
|
return Promise.reject(ERROR_ENUM.unAuthorization);
|
|
}
|
|
|
|
const { apikey, appId: authorizationAppid = '' } = await (async () => {
|
|
const arr = auth.split('-');
|
|
// abandon
|
|
if (arr.length === 3) {
|
|
return {
|
|
apikey: `${arr[0]}-${arr[1]}`,
|
|
appId: arr[2]
|
|
};
|
|
}
|
|
if (arr.length === 2) {
|
|
return {
|
|
apikey: auth
|
|
};
|
|
}
|
|
return Promise.reject(ERROR_ENUM.unAuthorization);
|
|
})();
|
|
|
|
// auth apikey
|
|
const { teamId, tmbId, appId: apiKeyAppId = '', sourceName } = await authOpenApiKey({ apikey });
|
|
|
|
return {
|
|
uid: '',
|
|
teamId,
|
|
tmbId,
|
|
apikey,
|
|
appId: apiKeyAppId || authorizationAppid,
|
|
sourceName
|
|
};
|
|
}
|
|
// root user
|
|
async function parseRootKey(rootKey?: string) {
|
|
if (!rootKey || !process.env.ROOT_KEY || rootKey !== process.env.ROOT_KEY) {
|
|
return Promise.reject(ERROR_ENUM.unAuthorization);
|
|
}
|
|
}
|
|
|
|
const { cookie, token, rootkey, authorization } = (req.headers || {}) as ReqHeaderAuthType;
|
|
|
|
const { uid, teamId, tmbId, appId, openApiKey, authType, isRoot, sourceName } =
|
|
await (async () => {
|
|
if (authApiKey && authorization) {
|
|
// apikey from authorization
|
|
const authResponse = await parseAuthorization(authorization);
|
|
return {
|
|
uid: authResponse.uid,
|
|
teamId: authResponse.teamId,
|
|
tmbId: authResponse.tmbId,
|
|
appId: authResponse.appId,
|
|
openApiKey: authResponse.apikey,
|
|
authType: AuthUserTypeEnum.apikey,
|
|
sourceName: authResponse.sourceName
|
|
};
|
|
}
|
|
if (authToken && (token || cookie)) {
|
|
// user token(from fastgpt web)
|
|
const res = await authCookieToken(cookie, token);
|
|
return {
|
|
uid: res.userId,
|
|
teamId: res.teamId,
|
|
tmbId: res.tmbId,
|
|
appId: '',
|
|
openApiKey: '',
|
|
authType: AuthUserTypeEnum.token,
|
|
isRoot: res.isRoot
|
|
};
|
|
}
|
|
if (authRoot && rootkey) {
|
|
await parseRootKey(rootkey);
|
|
// root user
|
|
return {
|
|
uid: '',
|
|
teamId: '',
|
|
tmbId: '',
|
|
appId: '',
|
|
openApiKey: '',
|
|
authType: AuthUserTypeEnum.root,
|
|
isRoot: true
|
|
};
|
|
}
|
|
|
|
return Promise.reject(ERROR_ENUM.unAuthorization);
|
|
})();
|
|
|
|
if (!authRoot && (!teamId || !tmbId)) {
|
|
return Promise.reject(ERROR_ENUM.unAuthorization);
|
|
}
|
|
|
|
return {
|
|
userId: String(uid),
|
|
teamId: String(teamId),
|
|
tmbId: String(tmbId),
|
|
appId,
|
|
authType,
|
|
sourceName,
|
|
apikey: openApiKey,
|
|
isRoot: !!isRoot
|
|
};
|
|
}
|
|
|
|
/* set cookie */
|
|
export const TokenName = 'fastgpt_token';
|
|
export const setCookie = (res: NextApiResponse, token: string) => {
|
|
res.setHeader(
|
|
'Set-Cookie',
|
|
`${TokenName}=${token}; Path=/; HttpOnly; Max-Age=604800; Samesite=Strict;`
|
|
);
|
|
};
|
|
/* clear cookie */
|
|
export const clearCookie = (res: NextApiResponse) => {
|
|
res.setHeader('Set-Cookie', `${TokenName}=; Path=/; Max-Age=0`);
|
|
};
|
|
|
|
/* file permission */
|
|
export const createFileToken = (data: FileTokenQuery) => {
|
|
if (!process.env.FILE_TOKEN_KEY) {
|
|
return Promise.reject('System unset FILE_TOKEN_KEY');
|
|
}
|
|
|
|
const expireMinutes = bucketNameMap[data.bucketName].previewExpireMinutes;
|
|
const expiredTime = Math.floor(addMinutes(new Date(), expireMinutes).getTime() / 1000);
|
|
|
|
const key = (process.env.FILE_TOKEN_KEY as string) ?? 'filetoken';
|
|
const token = jwt.sign(
|
|
{
|
|
...data,
|
|
exp: expiredTime
|
|
},
|
|
key
|
|
);
|
|
return Promise.resolve(token);
|
|
};
|
|
|
|
export const authFileToken = (token?: string) =>
|
|
new Promise<FileTokenQuery>((resolve, reject) => {
|
|
if (!token) {
|
|
return reject(ERROR_ENUM.unAuthFile);
|
|
}
|
|
const key = (process.env.FILE_TOKEN_KEY as string) ?? 'filetoken';
|
|
|
|
jwt.verify(token, key, function (err, decoded: any) {
|
|
if (err || !decoded.bucketName || !decoded?.teamId || !decoded?.tmbId || !decoded?.fileId) {
|
|
reject(ERROR_ENUM.unAuthFile);
|
|
return;
|
|
}
|
|
resolve({
|
|
bucketName: decoded.bucketName,
|
|
teamId: decoded.teamId,
|
|
tmbId: decoded.tmbId,
|
|
fileId: decoded.fileId
|
|
});
|
|
});
|
|
});
|
|
|
|
export const getGroupPer = (groups: PermissionValueType[] = []) => {
|
|
if (groups.length === 0) {
|
|
return undefined;
|
|
}
|
|
|
|
return new Permission().addPer(...groups).value;
|
|
};
|