Willem Jiang
4e4e4f92a0
* fix(security): harden auth system and fix run journal logic bug
- Fix inverted condition in RunJournal.on_chat_model_start that prevented
first human message capture (not messages → messages)
- Pre-hash passwords with SHA-256 before bcrypt to avoid silent 72-byte
truncation vulnerability
- Move load_dotenv() from module scope into get_auth_config() to prevent
import-time os.environ mutation breaking test isolation
- Return generic ‘Invalid token’ instead of exposing specific error
variants (expired, malformed, invalid_signature) to clients
- Make @require_auth independently enforce 401 instead of silently
passing through when AuthMiddleware is absent
- Rate-limit /setup-status endpoint with per-IP cooldown to mitigate
initialization-state information leak
- Document in-process rate limiter limitation for multi-worker deployments
* fix(security): return 429+Retry-After on setup-status rate limit, bound cooldown dict
Agent-Logs-Url: https://github.com/bytedance/deer-flow/sessions/070d0be8-99a5-46c8-85bb-6b81b5284021
Co-authored-by: WillemJiang <219644+WillemJiang@users.noreply.github.com>
* fix(security): add versioned password hashes with auto-migration on login
The SHA-256 pre-hash change silently broke verification for any existing
bcrypt-only password hashes. Introduce a <N>$ prefix scheme so hashes
are self-describing:
- v2 (current): bcrypt(b64(sha256(password))) with $ prefix
- v1 (legacy): plain bcrypt, prefixed $ or bare (no prefix)
verify_password auto-detects the version and falls back to v1 for older
hashes. LocalAuthProvider.authenticate() now rehashes legacy hashes to v2
on successful login via needs_rehash(), so existing users upgrade
transparently without a dedicated migration step.
* fix(auth): harden verify_password, best-effort rehash, update require_auth docstring, downgrade journal logging
- password.py: wrap bcrypt.checkpw in try/except → return False for malformed/corrupt hashes instead of crashing
- local_provider.py: wrap auto-rehash update_user() in try/except so transient DB errors don't fail valid logins
- authz.py: update require_auth docstring to reflect independent 401 enforcement
- journal.py: downgrade on_chat_model_start from INFO to DEBUG, log only metadata (batch_count, message_counts) instead of full serialized/messages content
Agent-Logs-Url: https://github.com/bytedance/deer-flow/sessions/48c5cf31-a4ab-418a-982a-6343c37bb299
Co-authored-by: WillemJiang <219644+WillemJiang@users.noreply.github.com>
* fix(auth): address code review - narrow ValueError catch, add rehash warning log, rename num_batches
Agent-Logs-Url: https://github.com/bytedance/deer-flow/sessions/48c5cf31-a4ab-418a-982a-6343c37bb299
Co-authored-by: WillemJiang <219644+WillemJiang@users.noreply.github.com>
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
58 lines
1.9 KiB
Python
58 lines
1.9 KiB
Python
"""Authentication configuration for DeerFlow."""
|
|
|
|
import logging
|
|
import os
|
|
import secrets
|
|
|
|
from pydantic import BaseModel, Field
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
class AuthConfig(BaseModel):
|
|
"""JWT and auth-related configuration. Parsed once at startup.
|
|
|
|
Note: the ``users`` table now lives in the shared persistence
|
|
database managed by ``deerflow.persistence.engine``. The old
|
|
``users_db_path`` config key has been removed — user storage is
|
|
configured through ``config.database`` like every other table.
|
|
"""
|
|
|
|
jwt_secret: str = Field(
|
|
...,
|
|
description="Secret key for JWT signing. MUST be set via AUTH_JWT_SECRET.",
|
|
)
|
|
token_expiry_days: int = Field(default=7, ge=1, le=30)
|
|
oauth_github_client_id: str | None = Field(default=None)
|
|
oauth_github_client_secret: str | None = Field(default=None)
|
|
|
|
|
|
_auth_config: AuthConfig | None = None
|
|
|
|
|
|
def get_auth_config() -> AuthConfig:
|
|
"""Get the global AuthConfig instance. Parses from env on first call."""
|
|
global _auth_config
|
|
if _auth_config is None:
|
|
from dotenv import load_dotenv
|
|
|
|
load_dotenv()
|
|
jwt_secret = os.environ.get("AUTH_JWT_SECRET")
|
|
if not jwt_secret:
|
|
jwt_secret = secrets.token_urlsafe(32)
|
|
os.environ["AUTH_JWT_SECRET"] = jwt_secret
|
|
logger.warning(
|
|
"⚠ AUTH_JWT_SECRET is not set — using an auto-generated ephemeral secret. "
|
|
"Sessions will be invalidated on restart. "
|
|
"For production, add AUTH_JWT_SECRET to your .env file: "
|
|
'python -c "import secrets; print(secrets.token_urlsafe(32))"'
|
|
)
|
|
_auth_config = AuthConfig(jwt_secret=jwt_secret)
|
|
return _auth_config
|
|
|
|
|
|
def set_auth_config(config: AuthConfig) -> None:
|
|
"""Set the global AuthConfig instance (for testing)."""
|
|
global _auth_config
|
|
_auth_config = config
|