Files
2026-07-13 13:24:55 +08:00

232 lines
8.2 KiB
Go

/*
* Copyright 2025 coze-dev Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package plugin
import (
"context"
"encoding/json"
"net/url"
"os"
botOpenAPI "github.com/coze-dev/coze-studio/backend/api/model/app/bot_open_api"
developerAPI "github.com/coze-dev/coze-studio/backend/api/model/app/developer_api"
pluginAPI "github.com/coze-dev/coze-studio/backend/api/model/plugin_develop"
common "github.com/coze-dev/coze-studio/backend/api/model/plugin_develop/common"
"github.com/coze-dev/coze-studio/backend/application/base/ctxutil"
pluginConf "github.com/coze-dev/coze-studio/backend/domain/plugin/conf"
"github.com/coze-dev/coze-studio/backend/domain/plugin/dto"
"github.com/coze-dev/coze-studio/backend/domain/plugin/encrypt"
"github.com/coze-dev/coze-studio/backend/pkg/errorx"
"github.com/coze-dev/coze-studio/backend/pkg/lang/conv"
"github.com/coze-dev/coze-studio/backend/types/errno"
)
func (p *PluginApplicationService) GetOAuthSchema(ctx context.Context, req *pluginAPI.GetOAuthSchemaRequest) (resp *pluginAPI.GetOAuthSchemaResponse, err error) {
return &pluginAPI.GetOAuthSchemaResponse{
OauthSchema: pluginConf.GetOAuthSchema(),
}, nil
}
func (p *PluginApplicationService) GetOAuthStatus(ctx context.Context, req *pluginAPI.GetOAuthStatusRequest) (resp *pluginAPI.GetOAuthStatusResponse, err error) {
userID := ctxutil.GetUIDFromCtx(ctx)
if userID == nil {
return nil, errorx.New(errno.ErrPluginPermissionCode, errorx.KV(errno.PluginMsgKey, "session is required"))
}
res, err := p.DomainSVC.GetOAuthStatus(ctx, *userID, req.PluginID)
if err != nil {
return nil, errorx.Wrapf(err, "GetOAuthStatus failed, pluginID=%d", req.PluginID)
}
resp = &pluginAPI.GetOAuthStatusResponse{
IsOauth: res.IsOauth,
Status: res.Status,
Content: res.OAuthURL,
}
return resp, nil
}
func (p *PluginApplicationService) OauthAuthorizationCode(ctx context.Context, req *botOpenAPI.OauthAuthorizationCodeReq) (resp *botOpenAPI.OauthAuthorizationCodeResp, err error) {
stateStr, err := url.QueryUnescape(req.State)
if err != nil {
return nil, errorx.WrapByCode(err, errno.ErrPluginOAuthFailed, errorx.KV(errno.PluginMsgKey, "invalid state"))
}
secret := os.Getenv(encrypt.StateSecretEnv)
if secret == "" {
secret = encrypt.DefaultStateSecret
}
stateBytes, err := encrypt.DecryptByAES(stateStr, secret)
if err != nil {
return nil, errorx.WrapByCode(err, errno.ErrPluginOAuthFailed, errorx.KV(errno.PluginMsgKey, "invalid state"))
}
state := &dto.OAuthState{}
err = json.Unmarshal(stateBytes, state)
if err != nil {
return nil, errorx.WrapByCode(err, errno.ErrPluginOAuthFailed, errorx.KV(errno.PluginMsgKey, "invalid state"))
}
err = p.DomainSVC.OAuthCode(ctx, req.Code, state)
if err != nil {
return nil, errorx.WrapByCode(err, errno.ErrPluginOAuthFailed, errorx.KV(errno.PluginMsgKey, "authorize failed"))
}
resp = &botOpenAPI.OauthAuthorizationCodeResp{}
return resp, nil
}
func (p *PluginApplicationService) GetQueriedOAuthPluginList(ctx context.Context, req *pluginAPI.GetQueriedOAuthPluginListRequest) (resp *pluginAPI.GetQueriedOAuthPluginListResponse, err error) {
userID := ctxutil.GetUIDFromCtx(ctx)
if userID == nil {
return nil, errorx.New(errno.ErrPluginPermissionCode, errorx.KV(errno.PluginMsgKey, "session is required"))
}
status, err := p.DomainSVC.GetAgentPluginsOAuthStatus(ctx, *userID, req.BotID)
if err != nil {
return nil, errorx.Wrapf(err, "GetAgentPluginsOAuthStatus failed, userID=%d, agentID=%d", *userID, req.BotID)
}
if len(status) == 0 {
return &pluginAPI.GetQueriedOAuthPluginListResponse{
OauthPluginList: []*pluginAPI.OAuthPluginInfo{},
}, nil
}
oauthPluginList := make([]*pluginAPI.OAuthPluginInfo, 0, len(status))
for _, s := range status {
oauthPluginList = append(oauthPluginList, &pluginAPI.OAuthPluginInfo{
PluginID: s.PluginID,
Status: s.Status,
Name: s.PluginName,
PluginIcon: s.PluginIconURL,
})
}
resp = &pluginAPI.GetQueriedOAuthPluginListResponse{
OauthPluginList: oauthPluginList,
}
return resp, nil
}
func (p *PluginApplicationService) RevokeAuthToken(ctx context.Context, req *pluginAPI.RevokeAuthTokenRequest) (resp *pluginAPI.RevokeAuthTokenResponse, err error) {
userID := ctxutil.GetUIDFromCtx(ctx)
if userID == nil {
return nil, errorx.New(errno.ErrPluginPermissionCode, errorx.KV(errno.PluginMsgKey, "session is required"))
}
err = p.DomainSVC.RevokeAccessToken(ctx, &dto.AuthorizationCodeMeta{
UserID: conv.Int64ToStr(*userID),
PluginID: req.PluginID,
IsDraft: req.GetBotID() == 0,
})
if err != nil {
return nil, errorx.Wrapf(err, "RevokeAccessToken failed, pluginID=%d", req.PluginID)
}
resp = &pluginAPI.RevokeAuthTokenResponse{}
return resp, nil
}
func (p *PluginApplicationService) GetUserAuthority(ctx context.Context, req *pluginAPI.GetUserAuthorityRequest) (resp *pluginAPI.GetUserAuthorityResponse, err error) {
resp = &pluginAPI.GetUserAuthorityResponse{
Data: &common.GetUserAuthorityData{
CanEdit: true,
CanRead: true,
CanDelete: true,
CanDebug: true,
CanPublish: true,
CanReadChangelog: true,
},
}
return resp, nil
}
// PluginOauthAuthorizationCode handles the OAuth provider callback in the two-step confirmation flow.
// It validates the state, stores a temporary confirm_code, and returns it for redirect.
func (p *PluginApplicationService) PluginOauthAuthorizationCode(ctx context.Context, req *developerAPI.PluginOauthAuthorizationCodeReq) (confirmCode string, err error) {
if req.Code == "" {
return "", errorx.New(errno.ErrPluginOAuthFailed, errorx.KV(errno.PluginMsgKey, "code is required"))
}
if req.State == "" {
return "", errorx.New(errno.ErrPluginOAuthFailed, errorx.KV(errno.PluginMsgKey, "state is required"))
}
if req.PluginID == "" {
return "", errorx.New(errno.ErrPluginOAuthFailed, errorx.KV(errno.PluginMsgKey, "plugin_id is required"))
}
confirmCode, err = p.DomainSVC.PluginOauthCallback(ctx, req.Code, req.State, req.PluginID)
if err != nil {
return "", errorx.Wrapf(err, "PluginOauthCallback failed")
}
return confirmCode, nil
}
// PluginOauthInfo returns plugin information for the OAuth confirmation page.
func (p *PluginApplicationService) PluginOauthInfo(ctx context.Context, req *developerAPI.PluginOauthInfoReq) (resp *developerAPI.PluginOauthInfoResp, err error) {
info, err := p.DomainSVC.GetPluginOauthInfo(ctx, req.ConfirmCode)
if err != nil {
return nil, errorx.Wrapf(err, "GetPluginOauthInfo failed")
}
// Look up username from the state's userID via user service
username := ""
if info.StateUserID > 0 {
userProfile, profileErr := p.userSVC.GetUserProfiles(ctx, info.StateUserID)
if profileErr == nil && userProfile != nil {
username = userProfile.Name
if username == "" {
username = userProfile.UniqueName
}
}
}
resp = &developerAPI.PluginOauthInfoResp{
Data: &developerAPI.PluginOauthInfo{
PluginID: info.PluginID,
PluginName: info.PluginName,
PluginIcon: info.PluginIcon,
Username: username,
},
}
return resp, nil
}
// PluginOauthConfirm handles the user's confirmation of OAuth authorization.
// It uses the current session user ID to prevent phishing attacks.
func (p *PluginApplicationService) PluginOauthConfirm(ctx context.Context, req *developerAPI.PluginOauthConfirmReq) (resp *developerAPI.PluginOauthConfirmResp, err error) {
userID := ctxutil.GetUIDFromCtx(ctx)
if userID == nil {
return nil, errorx.New(errno.ErrPluginPermissionCode, errorx.KV(errno.PluginMsgKey, "session is required"))
}
err = p.DomainSVC.ConfirmPluginOauth(ctx, req.ConfirmCode, *userID)
if err != nil {
return nil, errorx.Wrapf(err, "ConfirmPluginOauth failed")
}
resp = &developerAPI.PluginOauthConfirmResp{}
return resp, nil
}