refactor: api/controllers/console/apikey.py to ov3

[asukaminato0721]

Important

1. Make sure you have read our contribution guidelines
2. Ensure there is an associated issue and you have been assigned to it
3. Use the correct syntax to link this PR: Fixes #<issue number>.

Summary

part of #31456

Screenshots

Before	After
...	...

Checklist

• This change requires a documentation update, included: Dify Document
• I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)
• I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
• I've updated the documentation accordingly.
• I ran make lint and make type-check (backend) and cd web && npx lint-staged (frontend) to appease the lint gods

[gemini-code-assist]

Summary of Changes

Hello @asukaminato0721, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request modernizes the API key management system by migrating its backend implementation from flask_restx to fastopenapi. This refactoring aims to improve the API's robustness, maintainability, and clarity through the adoption of Pydantic for data serialization and validation, and a more functional approach to endpoint definition. The change impacts how API keys for both applications and datasets are handled, providing a more consistent and type-safe API layer.

Highlights

• API Framework Migration: The API key management endpoints for applications and datasets have been refactored from flask_restx to fastopenapi, leveraging Pydantic for data modeling and validation.
• Code Structure Improvement: Common logic for API key operations (listing, creating, deleting, and resource retrieval) has been extracted into dedicated helper functions, enhancing modularity and reusability.
• Type Safety and Validation: New Pydantic models (ApiKeyItem, ApiKeyListResponse, DeleteResponse) have been introduced to provide clear, type-hinted data structures for API requests and responses, improving API contract definition.
• Error Handling Modernization: Error handling has been updated to use werkzeug.exceptions (e.g., BadRequest, Forbidden, NotFound) for more standardized and explicit error responses, replacing flask_restx.abort.
• New Unit Tests: A new unit test file, api/tests/unit_tests/controllers/console/test_fastopenapi_apikey.py, has been added to ensure the correct functionality of the refactored fastopenapi endpoints.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request refactors the API key management endpoints from flask-restx to fastopenapi and pydantic, which is a great step towards modernizing the API. The code is now more structured with helper functions and clear data models. However, I've identified a couple of critical issues that need to be addressed before merging. There's a bug in the _get_resource function that will cause it to fail, and a significant security vulnerability in the _delete_api_key function that could lead to unauthorized data deletion. I've also pointed out some inconsistencies in the DELETE endpoints regarding HTTP standards. Please review the detailed comments for suggestions on how to resolve these issues.

[gemini-code-assist]

The delete operation is only filtered by api_key_id. It does not include resource_id or other scoping parameters. This creates a security vulnerability (Insecure Direct Object Reference) where an attacker who knows an api_key_id could delete it without being authorized for the associated resource.

The key object is fetched with the correct filters on lines 127-135, so you should use it for deletion to ensure the operation is safe.

    db.session.delete(key)
    db.session.commit()

[Copilot]

Pull request overview

This pull request refactors the API key management controller from flask-restx (OpenAPI v2) to FastAPI/fastopenapi (OpenAPI v3) as part of a broader migration effort. The refactor modernizes the codebase by replacing class-based views with function-based endpoints and using Pydantic models for request/response validation.

Changes:

• Replaced flask-restx Resource classes with FastAPI-style function endpoints using @console_router decorators
• Migrated from flask-restx marshalling to Pydantic BaseModel response models
• Extracted business logic into reusable helper functions (_get_resource, _list_api_keys, _create_api_key, _delete_api_key)
• Added comprehensive unit tests for the new FastAPI endpoints

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
api/controllers/console/apikey.py	Complete refactor from flask-restx to FastAPI with Pydantic models, function-based endpoints, and extracted helper functions
api/tests/unit_tests/controllers/console/test_fastopenapi_apikey.py	New unit tests for FastAPI endpoints covering list, create, and delete operations

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.