feat(organization): add organization support

Author: duanhongyi

rootfs/Dockerfile

@@ -4,7 +4,7 @@ FROM registry.drycc.cc/drycc/base:${CODENAME} as build-app
 ADD web /web
 WORKDIR /web
 
-ENV NODE_VERSION="22"
+ENV NODE_VERSION="24"
 
 RUN install-stack node $NODE_VERSION && . init-stack \
   && npm install --global yarn \
@@ -16,7 +16,7 @@ FROM registry.drycc.cc/drycc/base:${CODENAME}
 ARG DRYCC_UID=1001 \
   DRYCC_GID=1001 \
   DRYCC_HOME_DIR=/workspace \
-  PYTHON_VERSION="3.13"
+  PYTHON_VERSION="3.14"
 
 RUN groupadd drycc --gid ${DRYCC_GID} \
   && useradd drycc -u ${DRYCC_UID} -g ${DRYCC_GID} -s /bin/bash -m -d ${DRYCC_HOME_DIR}

rootfs/Dockerfile.test

@@ -1,10 +1,31 @@
+ARG CODENAME
+FROM registry.drycc.cc/drycc/base:${CODENAME} as build-app
+
+ADD web /web
+WORKDIR /web
+
+ENV NODE_VERSION="24"
+
+RUN install-stack node $NODE_VERSION && . init-stack \
+  && npm install --global yarn \
+  && yarn install \
+  && yarn build
+
+
 ARG CODENAME
 FROM registry.drycc.cc/drycc/base:${CODENAME}
 
-ARG DRYCC_HOME_DIR=/workspace \
-  PYTHON_VERSION="3.13" \
-  POSTGRES_VERSION="17.6" \
-  GOSU_VERSION="1.18"
+ARG DRYCC_UID=1001 \
+  DRYCC_GID=1001 \
+  DRYCC_HOME_DIR=/workspace \
+  PYTHON_VERSION="3.14" \
+  VALKEY_VERSION="9.0.1" \
+  POSTGRES_VERSION="18.1" \
+  GOSU_VERSION="1.19"
+
+
+RUN groupadd drycc --gid ${DRYCC_GID} \
+  && useradd drycc -u ${DRYCC_UID} -g ${DRYCC_GID} -s /bin/bash -m -d ${DRYCC_HOME_DIR}
 
 ENV PGDATA="/var/lib/postgresql/data"
 
@@ -16,6 +37,7 @@ RUN buildDeps='gcc rustc cargo libffi-dev musl-dev libldap2-dev libsasl2-dev'; \
   && curl -SsL https://cli.codecov.io/latest/$([ $(dpkg --print-architecture) == "arm64" ] && echo linux-arm64 || echo linux)/codecov -o /usr/local/bin/codecov \
   && chmod +x /usr/local/bin/codecov \
   && install-stack python $PYTHON_VERSION \
+  && install-stack valkey $VALKEY_VERSION \
   && install-stack postgresql $POSTGRES_VERSION \
   && install-stack gosu $GOSU_VERSION && . init-stack \
   && python3 -m venv ${DRYCC_HOME_DIR}/.venv \
@@ -50,6 +72,9 @@ RUN buildDeps='gcc rustc cargo libffi-dev musl-dev libldap2-dev libsasl2-dev'; \
   && gosu postgres initdb -D $PGDATA
 
 COPY . ${DRYCC_HOME_DIR}
+COPY --chown=${DRYCC_UID}:${DRYCC_GID} . ${DRYCC_HOME_DIR}
+COPY --chown=${DRYCC_UID}:${DRYCC_GID} --from=build-app /web/dist ${DRYCC_HOME_DIR}/web/dist
+
 WORKDIR ${DRYCC_HOME_DIR}
 CMD ["bin/boot"]
 EXPOSE 8000

rootfs/api/exceptions.py

@@ -43,7 +43,6 @@ def custom_exception_handler(exc, context):
 
     # No response means DRF couldn't handle it
     # Output a generic 500 in a JSON format
-    print(response)
     if response is None:
         logging.exception('Uncaught Exception', exc_info=exc)
         set_rollback()

rootfs/api/migrations/0004_organization_organizationinvitation_and_more.py

@@ -0,0 +1,55 @@
+# Generated by Django 5.2.8 on 2025-12-29 07:46
+
+import api.validators
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0003_application_allowed_origins_and_more'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Organization',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('name', models.SlugField(max_length=255, unique=True, validators=[api.validators.OrganizationNameValidator()], verbose_name='organization name')),
+                ('email', models.EmailField(max_length=254, verbose_name='email address')),
+                ('created', models.DateTimeField(auto_now_add=True)),
+                ('updated', models.DateTimeField(auto_now=True)),
+            ],
+        ),
+        migrations.CreateModel(
+            name='OrganizationInvitation',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('email', models.EmailField(max_length=254, verbose_name='email address')),
+                ('token', models.CharField(max_length=128, unique=True)),
+                ('created', models.DateTimeField(auto_now_add=True)),
+                ('accepted', models.BooleanField(default=False, verbose_name='accepted')),
+                ('inviter', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
+                ('organization', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.organization')),
+            ],
+            options={
+                'unique_together': {('email', 'organization')},
+            },
+        ),
+        migrations.CreateModel(
+            name='OrganizationMember',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('role', models.CharField(choices=[('admin', 'Admin'), ('member', 'Member')], max_length=50)),
+                ('created', models.DateTimeField(auto_now_add=True)),
+                ('updated', models.DateTimeField(auto_now=True)),
+                ('organization', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.organization')),
+                ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
+            ],
+            options={
+                'unique_together': {('user', 'organization')},
+            },
+        ),
+    ]

rootfs/api/migrations/0005_organizationmember_alerts.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.2.8 on 2026-01-14 09:02
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0004_organization_organizationinvitation_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='organizationmember',
+            name='alerts',
+            field=models.BooleanField(default=True),
+        ),
+    ]

rootfs/api/models.py

@@ -2,7 +2,7 @@
 from django.contrib.auth.models import AbstractUser
 from django.utils.translation import gettext_lazy as _
 from oauth2_provider.models import AbstractApplication
-from .validators import UsernameValidator
+from .validators import UsernameValidator, OrganizationNameValidator
 
 
 class User(AbstractUser):
@@ -16,3 +16,67 @@ def allows_grant_type(self, *grant_types):
         return self.GRANT_AUTHORIZATION_CODE in grant_types or super().allows_grant_type(
             *grant_types
         )
+
+
+class Organization(models.Model):
+    name = models.SlugField(
+        _("organization name"),
+        max_length=255,
+        unique=True,
+        validators=[OrganizationNameValidator()],
+    )
+    email = models.EmailField(_("email address"))
+    created = models.DateTimeField(auto_now_add=True)
+    updated = models.DateTimeField(auto_now=True)
+
+    def __str__(self):
+        return self.name
+
+
+class OrganizationMember(models.Model):
+    role_choices = [
+        ('admin', 'Admin'),
+        ('member', 'Member'),
+    ]
+
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+    organization = models.ForeignKey(Organization, on_delete=models.CASCADE)
+    role = models.CharField(max_length=50, choices=role_choices)
+    alerts = models.BooleanField(default=True)
+    created = models.DateTimeField(auto_now_add=True)
+    updated = models.DateTimeField(auto_now=True)
+
+    class Meta:
+        unique_together = ('user', 'organization')
+
+    def __str__(self):
+        return f"{self.user.username} - {self.organization.name} ({self.role})"
+
+
+class OrganizationInvitation(models.Model):
+    email = models.EmailField(_("email address"))
+    token = models.CharField(max_length=128, unique=True)
+    organization = models.ForeignKey(Organization, on_delete=models.CASCADE)
+    inviter = models.ForeignKey(User, on_delete=models.CASCADE)
+    created = models.DateTimeField(auto_now_add=True)
+    accepted = models.BooleanField(_("accepted"), default=False)
+
+    class Meta:
+        unique_together = ('email', 'organization')
+
+    def accept(self):
+        user = User.objects.filter(email=self.email).first()
+        if not user or self.accepted:
+            return
+        OrganizationMember.objects.get_or_create(
+            user=user, organization=self.organization, defaults={'role': 'member'})
+        self.accepted = True
+        self.save()
+
+    @classmethod
+    def bulk_accept_by_email(cls, email):
+        for invitation in OrganizationInvitation.objects.filter(email=email, accepted=False):
+            invitation.accept()
+
+    def __str__(self):
+        return f"Invitation for {self.email} to join {self.organization.name}"

rootfs/api/serializers.py

@@ -9,6 +9,8 @@
 from rest_framework import serializers
 
 from api.utils import timestamp2datetime
+from api.validators import OrganizationNameValidator
+from api.models import Organization, OrganizationMember, OrganizationInvitation
 
 User = get_user_model()
 logger = logging.getLogger(__name__)
@@ -74,3 +76,38 @@ class Meta:
         fields = '__all__'
         read_only_fields = ['action_time', 'user', 'content_type', 'object_id',
                             'object_repr', 'action_flag', 'change_message']
+
+
+class OrganizationSerializer(serializers.ModelSerializer):
+    """Serialize Organization model."""
+
+    class Meta:
+        model = Organization
+        fields = '__all__'
+        read_only_fields = ['id', 'created', 'updated']
+        extra_kwargs = {
+            'name': {'validators': [OrganizationNameValidator()]}
+        }
+
+
+class OrganizationMemberSerializer(serializers.ModelSerializer):
+    """Serialize OrganizationMember model."""
+    user = serializers.ReadOnlyField(source='user.username')
+    email = serializers.ReadOnlyField(source='user.email')
+    organization = serializers.ReadOnlyField(source='organization.name')
+
+    class Meta:
+        model = OrganizationMember
+        fields = '__all__'
+        read_only_fields = ['id', 'created', 'updated']
+
+
+class OrganizationInvitationSerializer(serializers.ModelSerializer):
+    """Serialize OrganizationInvitation model."""
+    inviter = serializers.ReadOnlyField(source='inviter.username')
+    organization = serializers.ReadOnlyField(source='organization.name')
+
+    class Meta:
+        model = OrganizationInvitation
+        fields = '__all__'
+        read_only_fields = ['id', 'token', 'created']

rootfs/api/settings/production.py

@@ -168,6 +168,7 @@
 SECURE_BROWSER_XSS_FILTER = True
 CSRF_COOKIE_SECURE = os.environ.get('CSRF_COOKIE_SECURE', 'false').lower() == "true"
 SESSION_COOKIE_SECURE = os.environ.get('SESSION_COOKIE_SECURE', 'false').lower() == "true"
+CSRF_TRUSTED_ORIGINS = [r for r in os.environ.get('CSRF_TRUSTED_ORIGINS', '').split(',') if r]
 
 # Honor HTTPS from a trusted proxy
 # see https://docs.djangoproject.com/en/2.2/ref/settings/#secure-proxy-ssl-header
@@ -274,7 +275,7 @@
 SECRET_KEY = os.environ.get('DRYCC_SECRET_KEY', random_secret)
 
 # database default setting
-DRYCC_DATABASE_URL = os.environ.get('DRYCC_DATABASE_URL', 'postgres://postgres:123456@49.232.207.93:5432/drycc_passport')  # noqa
+DRYCC_DATABASE_URL = os.environ.get('DRYCC_DATABASE_URL', 'postgres://postgres:@:5432/passport')
 DATABASES = {
     'default': dj_database_url.config(default=DRYCC_DATABASE_URL)
 }
@@ -325,9 +326,6 @@
     "DEFAULT_CODE_CHALLENGE_METHOD": 'S256',
 }
 OAUTH2_PROVIDER_APPLICATION_MODEL = 'api.Application'
-# Valkey Configuration
-DRYCC_VALKEY_ADDRS = os.environ.get('DRYCC_VALKEY_ADDRS', '127.0.0.1:6379').split(",")
-DRYCC_VALKEY_PASSWORD = os.environ.get('DRYCC_VALKEY_PASSWORD', '')
 
 # Cache Valkey Configuration
 CACHES = {
@@ -402,6 +400,9 @@
 # username regex
 USERNAME_REGEX = os.environ.get('USERNAME_REGEX', '^[a-z][a-z0-9]{4,}$')
 
+# organization name regex
+ORGANIZATION_NAME_REGEX = os.environ.get('ORGANIZATION_NAME_REGEX', '^[0-9a-z]{5,255}$')
+
 # reserved username
 RESERVED_USERNAMES_PATH = os.environ.get(
     'RESERVED_USERNAMES_PATH', '/etc/drycc/passport/reserved-usernames.txt')

rootfs/api/static/icons/logo.svg

@@ -0,0 +1,7 @@
+{% autoescape off %}
+Hi there,
+
+Please click on the link below to confirm joining {{ invitation.organization.name }} organization:
+
+{{ domain }}{% url 'organization_invitation_detail' name=invitation.organization.name uid=invitation.token %}
+{% endautoescape %}