feature(web): Added web auth for the deer flow#843
feature(web): Added web auth for the deer flow#843WillemJiang wants to merge 22 commits intobytedance:main-1.xfrom
Conversation
Fixed the "Object is possibly 'undefined'" error in parseToken function by adding null safety check for parts[1] when parsing JWT tokens. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Replaced logical OR (||) with nullish coalescing operator (??) for safer null checking when parsing JWT tokens in auth utils. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This pull request introduces a comprehensive JWT-based authentication and user management system to DeerFlow. The implementation adds login/logout functionality, password management, admin-only user CRUD operations, and role-based access control across both backend and frontend.
Changes:
- Added JWT-based authentication with user/admin roles and password hashing using bcrypt
- Implemented user management endpoints (login, logout, password change, user CRUD) with role-based authorization
- Integrated authentication middleware for frontend with protected routes and auth context
- Added comprehensive test coverage for authentication flows and user management
Reviewed changes
Copilot reviewed 41 out of 43 changed files in this pull request and generated 24 comments.
Show a summary per file
| File | Description |
|---|---|
| src/server/middleware/auth.py | New authentication middleware with JWT token generation/verification and role-based access control |
| src/config/users.py | User management system with bcrypt password hashing and YAML-based persistence |
| src/server/app.py | Added authentication endpoints and integrated auth dependencies into existing endpoints |
| web/src/core/auth/* | Frontend authentication utilities, context provider, and server-side helpers |
| web/src/middleware.ts | Next.js middleware for route protection and role-based access |
| web/src/app/admin/* | Admin pages for user management and system configuration |
| web/src/app/login/page.tsx | Login page component |
| tests/* | Comprehensive test coverage for authentication and user management |
| pyproject.toml | Added bcrypt dependency |
| .env.example | Added JWT and admin credential configuration |
Files not reviewed (1)
- web/pnpm-lock.yaml: Language not supported
|
|
||
| try { | ||
| localStorage.setItem(AUTH_CONFIG.CSRF_TOKEN_KEY, token); | ||
| document.cookie = `${AUTH_CONFIG.CSRF_TOKEN_KEY}=${token}; path=/; max-age=${AUTH_CONFIG.DEFAULT_TTL / 1000}; SameSite=Strict; Secure`; |
There was a problem hiding this comment.
Security: The Secure flag should be conditional based on the environment. Setting secure=True for cookies in development (HTTP) will prevent them from working. Consider using environment-based configuration to set this flag appropriately.
| } | ||
|
|
||
| // Decode payload (base64url) | ||
| const payload = JSON.parse(atob((parts[1] ?? '').replace(/-/g, '+').replace(/_/g, '/'))); |
There was a problem hiding this comment.
Base64 decoding error handling: The JWT payload decoding on line 111 uses optional chaining on parts[1] which is good, but the fallback empty string '' will cause atob() to decode successfully but produce unexpected results. If parts[1] is undefined/null, the try-catch will handle it, but it's clearer to check explicitly before decoding.
| with open(USERS_FILE, 'w', encoding='utf-8') as f: | ||
| yaml.dump(data, f, default_flow_style=False, allow_unicode=True) | ||
|
|
||
| _users_cache = users |
There was a problem hiding this comment.
hi @WillemJiang
I think we need to add a file write lock to prevent concurrent conflicts.
|
LGTM |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This pull request introduces a comprehensive user authentication and management system to the backend, along with supporting changes to environment configuration, testing, and internationalization. The most significant updates are the addition of JWT-based authentication, new user/admin endpoints, environment variable documentation, and supporting utilities for secure password handling and CSRF protection.
Backend: User Authentication & Management
src/server/middleware/auth.py. This includes functions for token creation, verification, CSRF protection, and admin/user role enforcement.src/server/app.pyfor login, logout, password change, and admin-only user CRUD operations, all protected by the new authentication system. [1] [2]/api/mcp/server/metadataand user authentication for/api/chat/stream. [1] [2]pyproject.toml.Environment Configuration
.env.examplewith documentation and placeholders forJWT_SECRET_KEY, initial admin credentials, and notes on secure key requirements. [1] [2]Testing Support
tests/unit/server/test_app.pyto override authentication dependencies with mock users, enabling tests for endpoints that now require authentication. [1] [2] [3]Internationalization & Frontend
Backend: Authentication & User Management
src/server/middleware/auth.py.src/server/app.py, all protected by authentication and role checks. [1] [2]/api/chat/streamand/api/mcp/server/metadata. [1] [2]pyproject.toml.Environment Configuration
JWT_SECRET_KEYand initial admin credentials in.env.example, including security requirements. [1] [2]Testing & Internationalization
tests/unit/server/test_app.py. [1] [2] [3]