Skip to content

feat(auth): accept signed Orpheus embed tokens#3896

Open
AlexanderNiocalyev wants to merge 1 commit into
bytedance:mainfrom
AlexanderNiocalyev:codex/orpheus-signed-embed-auth
Open

feat(auth): accept signed Orpheus embed tokens#3896
AlexanderNiocalyev wants to merge 1 commit into
bytedance:mainfrom
AlexanderNiocalyev:codex/orpheus-signed-embed-auth

Conversation

@AlexanderNiocalyev

Copy link
Copy Markdown

Summary

  • add signed Orpheus embed-token verification in the DeerFlow gateway
  • add iframe-safe /embed/chats/[thread_id] route that reuses the native workspace chat page
  • inject X-DeerFlow-Embed-Token from the embed URL into frontend API and LangGraph SDK calls
  • document DEERFLOW_EMBED_TOKEN_SECRET and add backend/frontend regression tests

Validation

  • backend: uv run pytest tests/test_auth_middleware.py tests/test_csrf_middleware.py -q
  • backend: uv run ruff check app/gateway/embed_auth.py app/gateway/auth_middleware.py app/gateway/csrf_middleware.py app/gateway/deps.py tests/test_auth_middleware.py tests/test_csrf_middleware.py
  • backend: uv run ruff format --check app/gateway/embed_auth.py app/gateway/auth_middleware.py app/gateway/csrf_middleware.py app/gateway/deps.py tests/test_auth_middleware.py tests/test_csrf_middleware.py
  • frontend: pnpm test -- tests/unit/core/embed-auth.test.ts
  • frontend: pnpm lint
  • frontend: pnpm typecheck
  • frontend: pnpm format

@github-actions github-actions Bot added area:backend Gateway / runtime / core backend under backend/ area:docs Documentation and Markdown only area:frontend Next.js frontend under frontend/ needs-validation Touches front/back contract surface; needs real-path validation risk:high High risk: backend API, agents, sandbox, auth, deps, CI size/L PR changes 300-700 lines labels Jul 1, 2026
@WillemJiang

Copy link
Copy Markdown
Collaborator

@AlexanderNiocalyev Thanks for your contribution. Could you share more information with me about 'Orpheus embed-token'? I cannot find the document when searching on Google.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an “Orpheus embed” authentication mode that accepts signed, short-lived embed tokens in the Gateway and propagates them from a new iframe-safe frontend route into both REST and LangGraph SDK requests.

Changes:

  • Backend: introduce X-DeerFlow-Embed-Token verification (HMAC) and stamp auth_source="embed" users when a valid token is present; allow CSRF bypass for valid embed-token requests.
  • Frontend: add /embed/chats/[thread_id] route that reuses the workspace chat page and injects the embed token header into API/LangGraph SDK calls; add token bootstrap to strip the token from the URL.
  • Docs/tests: document DEERFLOW_EMBED_TOKEN_SECRET and add regression tests for embed-token auth + CSRF behavior.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
README.md Documents embed-token support at the repo level.
frontend/tests/unit/core/embed-auth.test.ts Adds unit coverage for embed-token storage/header injection and URL stripping.
frontend/src/core/embed-auth.ts Implements embed-token storage (sessionStorage), URL consumption, and header injection helpers.
frontend/src/core/auth/AuthProvider.tsx Sends embed auth header on /api/v1/auth/me and avoids login redirect loops for embeds.
frontend/src/core/api/fetcher.ts Injects X-DeerFlow-Embed-Token into REST fetch wrapper and changes 401 behavior in embed context.
frontend/src/core/api/api-client.ts Injects X-DeerFlow-Embed-Token into LangGraph SDK requests via onRequest.
frontend/src/app/embed/chats/[thread_id]/page.tsx Adds embed route that re-exports the existing workspace chat page.
frontend/src/app/embed/chats/[thread_id]/layout.tsx Provides an embed-specific layout/providers wrapper and token bootstrap hook.
frontend/src/app/embed/chats/[thread_id]/embed-token-bootstrap.tsx Client bootstrap to consume and strip the embed token from the URL.
frontend/AGENTS.md Updates frontend agent docs to include the new embed route and embed-auth domain.
backend/tests/test_csrf_middleware.py Adds CSRF middleware regression tests for valid/invalid embed-token behavior.
backend/tests/test_auth_middleware.py Adds auth middleware regression tests for embed-token stamping/rejection.
backend/README.md Documents /embed/chats/{thread_id} and X-DeerFlow-Embed-Token at the backend module level.
backend/docs/CONFIGURATION.md Documents DEERFLOW_EMBED_TOKEN_SECRET configuration and embed flow behavior.
backend/app/gateway/embed_auth.py Introduces embed-token signing/verifying and request thread binding logic.
backend/app/gateway/deps.py Allows get_current_user_from_request to return the embed-stamped request user.
backend/app/gateway/csrf_middleware.py Adds embed-token-aware CSRF bypass for state-changing requests.
backend/app/gateway/auth_middleware.py Accepts embed-token auth and stamps AUTH_SOURCE_EMBED.
backend/app/gateway/auth_disabled.py Adds AUTH_SOURCE_EMBED constant.
backend/AGENTS.md Documents embed auth behavior in backend agent guidance.

Comment on lines +103 to +108
elif embed_token:
try:
user = get_embed_user_from_request(request)
except EmbedTokenError as exc:
return JSONResponse(status_code=401, content={"detail": str(exc)})
auth_source = AUTH_SOURCE_EMBED
Comment thread README.md
- `assistant_id: lead_agent` calls the default LangGraph assistant directly.
- If `assistant_id` is set to a custom agent name, DeerFlow still routes through `lead_agent` and injects that value as `agent_name`, so the custom agent's SOUL/config takes effect for IM channels.
- IM channel workers call Gateway's LangGraph-compatible API internally and automatically attach process-local internal auth plus the CSRF cookie/header pair required for thread and run creation.
- Orpheus iframe embeds can use `DEERFLOW_EMBED_TOKEN_SECRET` to sign short-lived `/embed/chats/{thread_id}` access tokens; Gateway accepts `X-DeerFlow-Embed-Token` only for the token-bound thread.
Comment on lines +20 to +22
export function getEmbedToken(): string | null {
if (!isBrowser()) return null;
const urlToken = readTokenFromLocation();
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:backend Gateway / runtime / core backend under backend/ area:docs Documentation and Markdown only area:frontend Next.js frontend under frontend/ needs-validation Touches front/back contract surface; needs real-path validation risk:high High risk: backend API, agents, sandbox, auth, deps, CI size/L PR changes 300-700 lines

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants