zlei6/ragflow
1
0
Fork 0
mirror of https://github.com/infiniflow/ragflow.git synced 2026-06-29 23:41:12 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
eb6ea284a8a0de20317f812f13c2ee17841b39f2
ragflow/internal/utility/otp.go
Rene Arredondo bf59eb77cc feat(go-api): port forgot-password flow to Go (#15282) (#15290) 
## Summary

Implements **chunk 1** of #15282 — the four `/api/v1/auth/password/...`
endpoints from the login-page Go port. **Chunk 2 (OAuth/OIDC) is
deferred** to its own subtask, matching the issue author's own
confidence-low recommendation ("multi-provider, stateful redirect flow
with external dependencies; recommend its own subtask").

New endpoints, all registered under `apiNoAuth` (forgot-password users
are unauthenticated by definition):

| Method | Path | Status |
|--------|------|--------|
| `POST` | `/api/v1/auth/password/forgot/captcha` | new |
| `POST` | `/api/v1/auth/password/forgot/otp` | new |
| `POST` | `/api/v1/auth/password/forgot/otp/verify` | new |
| `POST` | `/api/v1/auth/password/reset` | new |

## Wire compatibility with the Python backend

The two backends share state through Redis, so the Go port had to use
identical keys, encodings, and constants. Either backend can now
validate a code the other minted.

- **Redis keys**: `captcha:<email>`, `otp:<email>`,
`otp_attempts:<email>`, `otp_last_sent:<email>`, `otp_lock:<email>`,
`otp:verified:<email>` — same as `api/utils/web_utils.py`.
- **Stored OTP value**: `"<hex_hash>:<hex_salt>"` — same as Python.
- **Hash**: HMAC-SHA256 with a `crypto/rand` 16-byte salt — same as
`hash_code()`.
- **Constants**: `OTP_LENGTH=4`, `OTP_TTL=5min`, `ATTEMPT_LIMIT=5`,
`ATTEMPT_LOCK_SECONDS=30min`, `RESEND_COOLDOWN_SECONDS=60s` — all match
`api/utils/web_utils.py`.
- **Email body**: matches `RESET_CODE_EMAIL_TMPL` byte-for-byte.

## Files

### New

| File | Purpose |
|---|---|
| `internal/utility/otp.go` | OTP/captcha constants, Redis key builders
(`CaptchaRedisKey`, `OTPRedisKeys`, `OTPVerifiedRedisKey`),
`HashOTPCode`, `GenerateOTPCode` / `GenerateCaptchaCode` /
`GenerateOTPSalt` via `crypto/rand`, and `EncodeOTPStorageValue` /
`DecodeOTPStorageValue` matching Python's storage shape. |
| `internal/utility/smtp.go` | Minimal stdlib `net/smtp` sender.
`SendResetCodeEmail(to, otp, ttlMin)` builds an RFC 5322 plain-text
message and dispatches via implicit TLS / STARTTLS / plain — same
selectors as Python `aiosmtplib`. Returns `SMTPNotConfiguredError` if
the config block is empty. |

### Modified

| File | Change |
|---|---|
| `internal/server/config.go` | New `SMTPConfig` struct + `Config.SMTP`
field. Field names mirror the `smtp:` keys in `common/settings.py`
(`mail_server`, `mail_port`, `mail_use_ssl`, `mail_use_tls`,
`mail_username`, `mail_password`, `mail_from_name`, `mail_from_address`,
`mail_frontend_url`) so a single `conf/service_conf.yaml` powers both
backends. |
| `internal/service/user.go` | Four methods — `ForgotIssueCaptcha`,
`ForgotSendOTP`, `ForgotVerifyOTP`, `ForgotResetPassword`. Reuses the
existing `decryptPassword`, `HashPassword`, `userDAO.Update`, and
`utility.GenerateToken` so the reset+auto-login path is identical to
`LoginByEmail`. |
| `internal/handler/user.go` | Four handlers in the same `c.JSON` shape
as `LoginByEmail`. The reset handler rotates the access token and emits
an `Authorization` header for auto-login (matches Python
`construct_response(auth=user.get_id())`). |
| `internal/router/router.go` | Routes registered under `apiNoAuth`,
with an explanatory comment on why they sit outside the auth middleware.
|

## Known divergence — captcha rendering

The Python endpoint returns a rendered `image/JPEG` from the
`python-captcha` library. The Go side has **no image-captcha dependency
vendored** in `go.mod`, and hand-rolling a raster generator was out of
scope for this PR.

This commit returns JSON `{captcha: "<text>"}` instead. Implications:

- **Backend gate is identical** — the OTP step still verifies the
user-submitted captcha string against the Redis value, so the security
model is unchanged.
- **Frontend impact**: the password-reset page rendering needs a small
tweak (text display instead of `<img>`) until a Go captcha library is
wired in.
- The handler comments call this out explicitly so the next PR knows
what to swap.

Possible follow-ups (any one closes the gap):
1. Add `github.com/mojocn/base64Captcha` or `github.com/dchest/captcha`
to `go.mod` and replace the JSON response with an `image/JPEG`.
2. Hand-roll a 5x7 bitmap font + `image/png` writer using only the
stdlib.
3. Render a server-side SVG (cheap, but trivially OCR-able — only useful
as a UI shim).

## Test plan

- [ ] **Captcha**: `POST
/api/v1/auth/password/forgot/captcha?email=<existing>` returns `{code:
0, data: {captcha: "ABCD"}}`. Redis shows `captcha:<email>` with that
value and ~60s TTL. Unknown email returns `code: CodeDataError`.
- [ ] **OTP send**: `POST /api/v1/auth/password/forgot/otp` with the
right captcha mints an OTP, stores `<hash>:<salt>` under `otp:<email>`
for 5 min, sends an email, returns success. With a wrong captcha returns
`CodeAuthenticationError`. Hitting it again within 60s returns "you
still have to wait …" with `CodeNotEffective`.
- [ ] **OTP verify**: correct OTP → `code: 0`, OTP keys cleared,
`otp:verified:<email>` = `"1"`. Wrong OTP → `code:
CodeAuthenticationError`, attempt counter bumped; after 5 wrong tries
`otp_lock:<email>` is set and further attempts hit `CodeNotEffective`.
- [ ] **Reset**: with the verified flag set, supply a new password
(RSA-encrypted+base64, same as `LoginByEmail`). Returns `code: 0`,
`Authorization` header set, verified flag deleted. Without the verified
flag returns `CodeAuthenticationError`.
- [ ] **Wire-compat smoke**: mint an OTP from the Python backend, verify
it via the Go endpoint, and vice versa. Should both succeed.
- [ ] **SMTP misconfigured**: drop `smtp.mail_server` from
`conf/service_conf.yaml`. The OTP-send endpoint should now return
"failed to send email" without panicking; check the log for the
`SMTPNotConfiguredError` warning.
- [ ] **End-to-end FE**: hit the password-reset flow from
`web/src/pages/login-next/`. Confirm the text-captcha shim works after
the FE tweak.
- [ ] `go build ./...` and `go vet ./...` — I could not run these in the
sandbox; please confirm a clean build before merging.
- [ ] `uv run pytest` to confirm no Python regressions (shared Redis
schema).

### Type of change

- [x] New Feature (non-breaking change which adds functionality)
2026-06-10 21:27:56 +08:00

158 lines
5.6 KiB
Go
Raw Blame History

//
// Copyright 2026 The InfiniFlow Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// OTP / captcha helpers for the forgot-password flow.
// Constants and key shapes mirror api/utils/web_utils.py so the Python
// and Go backends share the same Redis namespace and contract.
package utility
import (
"crypto/hmac"
"crypto/rand"
"crypto/sha256"
"encoding/hex"
"fmt"
"math/big"
"strings"
"time"
)
// Forgot-password constants — match api/utils/web_utils.py.
const (
OTPLength = 4
OTPTTL = 5 * time.Minute
OTPAttemptLimit = 5
OTPAttemptLockDuration = 30 * time.Minute
OTPResendCooldown = 60 * time.Second
)
// otpUpperAlphabet is the OTP alphabet (uppercase letters, same as
// Python ``string.ascii_uppercase``).
const otpUpperAlphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
// captchaAlphabet is the captcha alphabet (uppercase letters + digits,
// same as Python ``string.ascii_uppercase + string.digits``).
const captchaAlphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
// normalizeEmail lowercases and trims an email address for keying. Mirrors
// the leading ``email = (email or "").strip().lower()`` in Python's
// otp_keys helper.
func normalizeEmail(email string) string {
return strings.ToLower(strings.TrimSpace(email))
}
// CaptchaIDRedisKey returns the Redis key that holds the active captcha
// for a server-issued captcha_id. The handler returns the id to the
// client and never the code itself, so an attacker cannot read the
// expected answer from the response. Diverges from Python's
// email-keyed ``captcha_key`` on purpose — captchas are 60s-lived
// and never cross between Go and Python in practice, so there is no
// shared-state requirement.
func CaptchaIDRedisKey(captchaID string) string {
return "captcha:" + captchaID
}
// OTPRedisKeys returns the four Redis keys used by the forgot-password
// flow, in the same order as Python's ``otp_keys`` helper:
//
// code, attempts, last_sent, lock
func OTPRedisKeys(email string) (codeKey, attemptsKey, lastSentKey, lockKey string) {
email = normalizeEmail(email)
return "otp:" + email,
"otp_attempts:" + email,
"otp_last_sent:" + email,
"otp_lock:" + email
}
// OTPVerifiedRedisKey returns the Redis key that records a successful OTP
// verification, used as the gate for the password-reset step (matches
// Python ``_verified_key``).
func OTPVerifiedRedisKey(email string) string {
return "otp:verified:" + normalizeEmail(email)
}
// HashOTPCode computes the HMAC-SHA256 of an OTP using the given salt and
// returns its hex digest, matching Python's ``hash_code`` helper.
func HashOTPCode(code string, salt []byte) string {
mac := hmac.New(sha256.New, salt)
mac.Write([]byte(code))
return hex.EncodeToString(mac.Sum(nil))
}
// GenerateOTPSalt returns a cryptographically random 16-byte salt for
// hashing an OTP — same width as Python ``os.urandom(16)``.
func GenerateOTPSalt() ([]byte, error) {
salt := make([]byte, 16)
if _, err := rand.Read(salt); err != nil {
return nil, fmt.Errorf("failed to generate otp salt: %w", err)
}
return salt, nil
}
// GenerateOTPCode generates an OTP of length ``OTPLength`` drawn uniformly
// from ``otpUpperAlphabet`` using crypto/rand (matches Python
// ``secrets.choice``).
func GenerateOTPCode() (string, error) {
return randomStringFromAlphabet(otpUpperAlphabet, OTPLength)
}
// GenerateCaptchaCode generates a captcha of length ``OTPLength`` drawn
// uniformly from ``captchaAlphabet`` using crypto/rand. The shared length
// is intentional — Python uses ``OTP_LENGTH`` for both.
func GenerateCaptchaCode() (string, error) {
return randomStringFromAlphabet(captchaAlphabet, OTPLength)
}
// EncodeOTPStorageValue serializes the (hash, salt) pair the way Python
// stores it in Redis: ``"<hex_hash>:<hex_salt>"``. Returning the salt's
// hex form (not raw bytes) keeps the value safe to store as a Redis
// string and matches the Python encoding so either backend can verify a
// code minted by the other.
func EncodeOTPStorageValue(codeHash string, salt []byte) string {
return codeHash + ":" + hex.EncodeToString(salt)
}
// DecodeOTPStorageValue reverses ``EncodeOTPStorageValue``. Returns the
// stored hash, decoded salt bytes, and a non-nil error if the value is
// malformed.
func DecodeOTPStorageValue(stored string) (codeHash string, salt []byte, err error) {
parts := strings.SplitN(stored, ":", 2)
if len(parts) != 2 {
return "", nil, fmt.Errorf("otp storage value missing salt separator")
}
salt, err = hex.DecodeString(parts[1])
if err != nil {
return "", nil, fmt.Errorf("otp storage salt is not valid hex: %w", err)
}
return parts[0], salt, nil
}
func randomStringFromAlphabet(alphabet string, length int) (string, error) {
if length <= 0 {
return "", fmt.Errorf("random string length must be positive")
}
out := make([]byte, length)
max := big.NewInt(int64(len(alphabet)))
for i := 0; i < length; i++ {
n, err := rand.Int(rand.Reader, max)
if err != nil {
return "", fmt.Errorf("failed to read random byte: %w", err)
}
out[i] = alphabet[n.Int64()]
}
return string(out), nil
}
Reference in New Issue View Git Blame Copy Permalink