feat: Implement authorization mode for wiki generation (#185)

This commit introduces an authorization mode for the wiki generation feature.
When enabled via environment variables, you must provide a valid authorization
code to generate a wiki.

Key changes:

- Backend:
    - Added `DEEPWIKI_AUTH_MODE` and `DEEPWIKI_AUTH_CODE` environment variables to control the feature.
    - Created an `/auth/status` endpoint to inform the frontend if auth is required.
    - Created an `/auth/validate` endpoint for validating the authorization code if auth is required.
    - Updated the Delete Wiki Cache request parameters to include an `auth_code`.
    - Implemented an authorization check in the Delete Wiki Cache handler to validate the `auth_code` if auth mode is active.
- Frontend:
    - The main page now fetches the auth status from the backend.
    - The configuration modal and the model selection modal conditionally display an input field for the authorization code if required.
    - The `auth_code` is sent to the backend for checking before the wiki generation request and during the wiki cache deletion.
- Documentation:
    - `README.md` and `README.zh.md` have been updated to explain the new environment variables and the authorization feature.

This allows administrators to restrict wiki generation capabilities to authorized users in the front end, but not prevent the redirect to backend generate interface. This is becauce that it hard to make diffrences the request is for asking or generating, and the more important thing for administrators is to protect the pages which have generated, but not prevent user to generate the own page.

So this can not prevent user to generate his own page completely but is aimed to protect the pages generated by  administrators.

Author: szl97

README.md

@@ -303,9 +303,23 @@ docker-compose up
 | `OLLAMA_HOST`        | Ollama Host (default: http://localhost:11434)                | No | Required only if you want to use external Ollama server                                                  |
 | `PORT`               | Port for the API server (default: 8001)                      | No | If you host API and frontend on the same machine, make sure change port of `SERVER_BASE_URL` accordingly |
 | `SERVER_BASE_URL`    | Base URL for the API server (default: http://localhost:8001) | No |
+| `DEEPWIKI_AUTH_MODE` | Set to `true` or `1` to enable authorization mode. | No | Defaults to `false`. If enabled, `DEEPWIKI_AUTH_CODE` is required. |
+| `DEEPWIKI_AUTH_CODE` | The secret code required for wiki generation when `DEEPWIKI_AUTH_MODE` is enabled. | No | Only used if `DEEPWIKI_AUTH_MODE` is `true` or `1`. |
 
 If you're not using ollama mode, you need to configure an OpenAI API key for embeddings. Other API keys are only required when configuring and using models from the corresponding providers.
 
+## Authorization Mode
+
+DeepWiki can be configured to run in an authorization mode, where wiki generation requires a valid authorization code. This is useful if you want to control who can use the generation feature.
+Restricts frontend initiation and protects cache deletion, but doesn't fully prevent backend generation if API endpoints are hit directly.
+
+To enable authorization mode, set the following environment variables:
+
+- `DEEPWIKI_AUTH_MODE`: Set this to `true` or `1`. When enabled, the frontend will display an input field for the authorization code.
+- `DEEPWIKI_AUTH_CODE`: Set this to the desired secret code. Restricts frontend initiation and protects cache deletion, but doesn't fully prevent backend generation if API endpoints are hit directly.
+
+If `DEEPWIKI_AUTH_MODE` is not set or is set to `false` (or any other value than `true`/`1`), the authorization feature will be disabled, and no code will be required.
+
 ### Docker Setup
 
 You can use Docker to run DeepWiki:

README.zh.md

@@ -310,9 +310,25 @@ OPENAI_BASE_URL=https://custom-api-endpoint.com/v1  # 可选，用于自定义Op
 
 # 配置目录
 DEEPWIKI_CONFIG_DIR=/path/to/custom/config/dir  # 可选，用于自定义配置文件位置
+
+# 授权模式
+DEEPWIKI_AUTH_MODE=true  # 设置为 true 或 1 以启用授权模式
+DEEPWIKI_AUTH_CODE=your_secret_code # 当 DEEPWIKI_AUTH_MODE 启用时所需的授权码
 ```
 如果不使用ollama模式，那么需要配置OpenAI API密钥用于embeddings。其他密钥只有配置并使用使用对应提供商的模型时才需要。
 
+## 授权模式
+
+DeepWiki 可以配置为在授权模式下运行，在该模式下，生成 Wiki 需要有效的授权码。如果您想控制谁可以使用生成功能，这将非常有用。
+限制使用前端页面生成wiki并保护已生成页面的缓存删除，但无法完全阻止直接访问 API 端点生成wiki。主要目的是为了保护管理员已生成的wiki页面，防止被访问者重新生成。
+
+要启用授权模式，请设置以下环境变量：
+
+- `DEEPWIKI_AUTH_MODE`: 将此设置为 `true` 或 `1`。启用后，前端将显示一个用于输入授权码的字段。
+- `DEEPWIKI_AUTH_CODE`: 将此设置为所需的密钥。限制使用前端页面生成wiki并保护已生成页面的缓存删除，但无法完全阻止直接访问 API 端点生成wiki。
+
+如果未设置 `DEEPWIKI_AUTH_MODE` 或将其设置为 `false`（或除 `true`/`1` 之外的任何其他值），则授权功能将被禁用，并且不需要任何代码。
+
 ### 配置文件
 
 DeepWiki使用JSON配置文件管理系统的各个方面：

api/api.py

@@ -123,7 +123,24 @@ class ModelConfig(BaseModel):
     providers: List[Provider] = Field(..., description="List of available model providers")
     defaultProvider: str = Field(..., description="ID of the default provider")
 
-from api.config import configs
+class AuthorizationConfig(BaseModel):
+    code: str = Field(..., description="Authorization code")
+
+from api.config import configs, WIKI_AUTH_MODE, WIKI_AUTH_CODE
+
+@app.get("/auth/status")
+async def get_auth_status():
+    """
+    Check if authentication is required for the wiki.
+    """
+    return {"auth_required": WIKI_AUTH_MODE}
+
+@app.post("/auth/validate")
+async def validate_auth_code(request: AuthorizationConfig):
+    """
+    Check authorization code.
+    """
+    return {"success": WIKI_AUTH_CODE == request.code}
 
 @app.get("/models/config", response_model=ModelConfig)
 async def get_model_config():
@@ -454,11 +471,17 @@ async def delete_wiki_cache(
     owner: str = Query(..., description="Repository owner"),
     repo: str = Query(..., description="Repository name"),
     repo_type: str = Query(..., description="Repository type (e.g., github, gitlab)"),
-    language: str = Query(..., description="Language of the wiki content")
+    language: str = Query(..., description="Language of the wiki content"),
+    authorization_code: str = Query(..., description="Authorization code")
 ):
     """
     Deletes a specific wiki cache from the file system.
     """
+    if WIKI_AUTH_MODE:
+        logger.info("check the authorization code")
+        if WIKI_AUTH_CODE != authorization_code:
+            raise HTTPException(status_code=401, detail="Authorization code is invalid")
+
     logger.info(f"Attempting to delete wiki cache for {owner}/{repo} ({repo_type}), lang: {language}")
     cache_path = get_wiki_cache_path(owner, repo, repo_type, language)
 
@@ -497,7 +520,9 @@ async def root():
             "Wiki": [
                 "POST /export/wiki - Export wiki content as Markdown or JSON",
                 "GET /api/wiki_cache - Retrieve cached wiki data",
-                "POST /api/wiki_cache - Store wiki data to cache"
+                "POST /api/wiki_cache - Store wiki data to cache",
+                "GET /auth/status - Check if wiki authentication is enabled",
+                "POST /auth/validate - Check if wiki authentication is valid"
             ],
             "LocalRepo": [
                 "GET /local_repo/structure - Get structure of a local repository (with path parameter)",

api/config.py

@@ -37,6 +37,11 @@
 if AWS_ROLE_ARN:
     os.environ["AWS_ROLE_ARN"] = AWS_ROLE_ARN
 
+# Wiki authentication settings
+raw_auth_mode = os.environ.get('DEEPWIKI_AUTH_MODE', 'False')
+WIKI_AUTH_MODE = raw_auth_mode.lower() in ['true', '1', 't']
+WIKI_AUTH_CODE = os.environ.get('DEEPWIKI_AUTH_CODE', '')
+
 # Get configuration directory from environment variable, or use default if not set
 CONFIG_DIR = os.environ.get('DEEPWIKI_CONFIG_DIR', None)
 

next.config.ts

@@ -51,6 +51,14 @@ const nextConfig: NextConfig = {
         source: '/local_repo/structure',
         destination: `${TARGET_SERVER_BASE_URL}/local_repo/structure`,
       },
+      {
+        source: '/api/auth/status',
+        destination: `${TARGET_SERVER_BASE_URL}/auth/status`,
+      },
+      {
+        source: '/api/auth/validate',
+        destination: `${TARGET_SERVER_BASE_URL}/auth/validate`,
+      },
     ];
   },
 };

src/app/[owner]/[repo]/page.tsx

@@ -245,6 +245,11 @@ export default function RepoWikiPage() {
   const [isAskModalOpen, setIsAskModalOpen] = useState(false);
   const askComponentRef = useRef<{ clearConversation: () => void } | null>(null);
 
+  // Authentication state
+  const [authRequired, setAuthRequired] = useState<boolean>(false);
+  const [authCode, setAuthCode] = useState<string>('');
+  const [isAuthLoading, setIsAuthLoading] = useState<boolean>(true);
+
   // Memoize repo info to avoid triggering updates in callbacks
 
   // Add useEffect to handle scroll reset
@@ -256,6 +261,29 @@ export default function RepoWikiPage() {
     }
   }, [currentPageId]);
 
+  // Fetch authentication status on component mount
+  useEffect(() => {
+    const fetchAuthStatus = async () => {
+      try {
+        setIsAuthLoading(true);
+        const response = await fetch('/api/auth/status');
+        if (!response.ok) {
+          throw new Error(`HTTP error! status: ${response.status}`);
+        }
+        const data = await response.json();
+        setAuthRequired(data.auth_required);
+      } catch (err) {
+        console.error("Failed to fetch auth status:", err);
+        // Assuming auth is required if fetch fails to avoid blocking UI for safety
+        setAuthRequired(true);
+      } finally {
+        setIsAuthLoading(false);
+      }
+    };
+
+    fetchAuthStatus();
+  }, []);
+
   // Generate content for a wiki page
   const generatePageContent = useCallback(async (page: WikiPage, owner: string, repo: string) => {
     return new Promise<void>(async (resolve) => {
@@ -1378,6 +1406,7 @@ IMPORTANT:
         is_custom_model: isCustomSelectedModelState.toString(),
         custom_model: customSelectedModelState,
         comprehensive: isComprehensiveView.toString(),
+        authorization_code: authCode,
       });
 
       // Add file filters configuration
@@ -1387,8 +1416,17 @@ IMPORTANT:
       if (modelExcludedFiles) {
         params.append('excluded_files', modelExcludedFiles);
       }
+
+      if(authRequired && !authCode) {
+        console.warn("Authorization code is required");
+        return;
+      }
+
       const response = await fetch(`/api/wiki_cache?${params.toString()}`, {
         method: 'DELETE',
+        headers: {
+          'Accept': 'application/json',
+        }
       });
 
       if (response.ok) {
@@ -1400,11 +1438,17 @@ IMPORTANT:
         console.warn(`Failed to clear server-side wiki cache (status: ${response.status}): ${errorText}. Proceeding with refresh anyway.`);
         // Optionally, inform the user about the cache clear failure but that refresh will still attempt
         // setError(\`Cache clear failed: ${errorText}. Trying to refresh...\`);
+        if(response.status == 401) {
+          setIsLoading(false);
+          throw new Error('Failed to validate the authorization code');
+        }
       }
     } catch (err) {
       console.warn('Error calling DELETE /api/wiki_cache:', err);
+      setIsLoading(false);
       // Optionally, inform the user about the cache clear error
       // setError(\`Error clearing cache: ${err instanceof Error ? err.message : String(err)}. Trying to refresh...\`);
+      throw err;
     }
 
     // Update token if provided
@@ -1451,7 +1495,7 @@ IMPORTANT:
     // For now, we rely on the standard loadData flow initiated by resetting effectRan and dependencies.
     // This will re-trigger the main data loading useEffect.
     // No direct call to fetchRepositoryStructure here, let the useEffect handle it based on effectRan.current = false.
-  }, [effectiveRepoInfo, language, messages.loading, activeContentRequests, selectedProviderState, selectedModelState, isCustomSelectedModelState, customSelectedModelState, modelExcludedDirs, modelExcludedFiles, isComprehensiveView]);
+  }, [effectiveRepoInfo, language, messages.loading, activeContentRequests, selectedProviderState, selectedModelState, isCustomSelectedModelState, customSelectedModelState, modelExcludedDirs, modelExcludedFiles, isComprehensiveView, authCode, authRequired]);
 
   // Start wiki generation when component mounts
   useEffect(() => {
@@ -1632,7 +1676,7 @@ IMPORTANT:
 
     // Clean up function for this effect is not strictly necessary for loadData,
     // but keeping the main unmount cleanup in the other useEffect
-  }, [effectiveRepoInfo.owner, effectiveRepoInfo.repo, effectiveRepoInfo.type, language, fetchRepositoryStructure, messages.loading?.fetchingCache, isComprehensiveView]);
+  }, [effectiveRepoInfo, effectiveRepoInfo.owner, effectiveRepoInfo.repo, effectiveRepoInfo.type, language, fetchRepositoryStructure, messages.loading?.fetchingCache, isComprehensiveView]);
 
   // Save wiki to server-side cache when generation is complete
   useEffect(() => {
@@ -1689,7 +1733,7 @@ IMPORTANT:
     };
 
     saveCache();
-  }, [isLoading, error, wikiStructure, generatedPages, effectiveRepoInfo.owner, effectiveRepoInfo.repo, effectiveRepoInfo.type, language, isComprehensiveView]);
+  }, [isLoading, error, wikiStructure, generatedPages, effectiveRepoInfo.owner, effectiveRepoInfo.repo, effectiveRepoInfo.type, effectiveRepoInfo.repoUrl, repoUrl, language, isComprehensiveView]);
 
   const handlePageSelect = (pageId: string) => {
     if (currentPageId != pageId) {
@@ -2023,6 +2067,10 @@ IMPORTANT:
         showWikiType={true}
         showTokenInput={effectiveRepoInfo.type !== 'local' && !currentToken} // Show token input if not local and no current token
         repositoryType={effectiveRepoInfo.type as 'github' | 'gitlab' | 'bitbucket'}
+        authRequired={authRequired}
+        authCode={authCode}
+        setAuthCode={setAuthCode}
+        isAuthLoading={isAuthLoading}
       />
     </div>
   );

src/app/api/wiki/projects/route.ts

@@ -19,13 +19,14 @@ interface DeleteProjectCachePayload {
 }
 
 /** Type guard to validate DeleteProjectCachePayload at runtime */
-function isDeleteProjectCachePayload(obj: any): obj is DeleteProjectCachePayload {
+function isDeleteProjectCachePayload(obj: unknown): obj is DeleteProjectCachePayload {
   return (
     obj != null &&
-    typeof obj.owner === 'string' && obj.owner.trim() !== '' &&
-    typeof obj.repo === 'string' && obj.repo.trim() !== '' &&
-    typeof obj.repo_type === 'string' && obj.repo_type.trim() !== '' &&
-    typeof obj.language === 'string' && obj.language.trim() !== ''
+    typeof obj === 'object' &&
+    'owner' in obj && typeof (obj as Record<string, unknown>).owner === 'string' && ((obj as Record<string, unknown>).owner as string).trim() !== '' &&
+    'repo' in obj && typeof (obj as Record<string, unknown>).repo === 'string' && ((obj as Record<string, unknown>).repo as string).trim() !== '' &&
+    'repo_type' in obj && typeof (obj as Record<string, unknown>).repo_type === 'string' && ((obj as Record<string, unknown>).repo_type as string).trim() !== '' &&
+    'language' in obj && typeof (obj as Record<string, unknown>).language === 'string' && ((obj as Record<string, unknown>).language as string).trim() !== ''
   );
 }
 

src/app/page.tsx

@@ -96,11 +96,39 @@ export default function Home() {
   const [isSubmitting, setIsSubmitting] = useState(false);
   const [selectedLanguage, setSelectedLanguage] = useState<string>(language);
 
+  // Authentication state
+  const [authRequired, setAuthRequired] = useState<boolean>(false);
+  const [authCode, setAuthCode] = useState<string>('');
+  const [isAuthLoading, setIsAuthLoading] = useState<boolean>(true);
+
   // Sync the language context with the selectedLanguage state
   useEffect(() => {
     setLanguage(selectedLanguage);
   }, [selectedLanguage, setLanguage]);
 
+  // Fetch authentication status on component mount
+  useEffect(() => {
+    const fetchAuthStatus = async () => {
+      try {
+        setIsAuthLoading(true);
+        const response = await fetch('/api/auth/status');
+        if (!response.ok) {
+          throw new Error(`HTTP error! status: ${response.status}`);
+        }
+        const data = await response.json();
+        setAuthRequired(data.auth_required);
+      } catch (err) {
+        console.error("Failed to fetch auth status:", err);
+        // Assuming auth is required if fetch fails to avoid blocking UI for safety
+        setAuthRequired(true);
+      } finally {
+        setIsAuthLoading(false);
+      }
+    };
+
+    fetchAuthStatus();
+  }, []);
+
   // Parse repository URL/input and extract owner and repo
   const parseRepositoryInput = (input: string): {
     owner: string,
@@ -181,7 +209,39 @@ export default function Home() {
     setIsConfigModalOpen(true);
   };
 
-  const handleGenerateWiki = () => {
+  const validateAuthCode = async () => {
+    try {
+      if(authRequired) {
+        if(!authCode) {
+          return false;
+        }
+        const response = await fetch('/api/auth/validate', {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+          },
+          body: JSON.stringify({'code': authCode})
+        });
+        if (!response.ok) {
+          return false;
+        }
+        const data = await response.json();
+        return data.success || false;
+      }
+    } catch {
+      return false;
+    }
+    return true;
+  };
+
+  const handleGenerateWiki = async () => {
+
+    // Check authorization code
+    const validation = await validateAuthCode();
+    if(!validation) {
+      throw new Error('Failed to validate the authorization code');
+    }
+
     // Prevent multiple submissions
     if (isSubmitting) {
       console.log('Form submission already in progress, ignoring duplicate click');
@@ -329,6 +389,10 @@ export default function Home() {
             setIncludedFiles={setIncludedFiles}
             onSubmit={handleGenerateWiki}
             isSubmitting={isSubmitting}
+            authRequired={authRequired}
+            authCode={authCode}
+            setAuthCode={setAuthCode}
+            isAuthLoading={isAuthLoading}
           />
 
         </div>

src/components/Ask.tsx

@@ -882,6 +882,8 @@ const Ask: React.FC<AskProps> = ({
           console.log('Model selection applied:', selectedProvider, selectedModel);
         }}
         showWikiType={false}
+        authRequired={false}
+        isAuthLoading={false}
       />
     </div>
   );