feat(api): introduce select, file and file list form input types to Human Input node

api/Dockerfile

@@ -17,7 +17,7 @@ FROM base AS packages
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
           # basic environment
-          g++ \
+          git g++ \
           # for building gmpy2
           libmpfr-dev libmpc-dev
 

api/controllers/common/human_input.py

@@ -1,10 +1,40 @@
 import json
 
-from pydantic import BaseModel, JsonValue
+from pydantic import BaseModel, Field, JsonValue
+
+HUMAN_INPUT_FORM_INPUT_EXAMPLE = {
+    "decision": "approve",
+    "attachment": {
+        "transfer_method": "local_file",
+        "upload_file_id": "4e0d1b87-52f2-49f6-b8c6-95cd9c954b3e",
+        "type": "document",
+    },
+    "attachments": [
+        {
+            "transfer_method": "local_file",
+            "upload_file_id": "1a77f0df-c0e6-461c-987c-e72526f341ee",
+            "type": "document",
+        },
+        {
+            "transfer_method": "remote_url",
+            "url": "https://example.com/report.pdf",
+            "type": "document",
+        },
+    ],
+}
 
 
 class HumanInputFormSubmitPayload(BaseModel):
-    inputs: dict[str, JsonValue]
+    inputs: dict[str, JsonValue] = Field(
+        description=(
+            "Submitted human input values keyed by output variable name. "
+            "Use a string for paragraph or select input values, a file mapping for file inputs, "
+            "and a list of file mappings for file-list inputs. Local file mappings use "
+            "`transfer_method=local_file` with `upload_file_id`; remote file mappings use "
+            "`transfer_method=remote_url` with `url` or `remote_url`."
+        ),
+        examples=[HUMAN_INPUT_FORM_INPUT_EXAMPLE],
+    )
     action: str
 
 

api/controllers/service_api/app/human_input_form.py

@@ -7,6 +7,7 @@
 
 import json
 import logging
+from collections.abc import Sequence
 
 from flask import Response
 from flask_restx import Resource
@@ -18,6 +19,7 @@
 from controllers.service_api.wraps import FetchUserArg, WhereisUserArg, validate_app_token
 from core.workflow.human_input_policy import HumanInputSurface, is_recipient_type_allowed_for_surface
 from extensions.ext_database import db
+from graphon.nodes.human_input.entities import FormInputConfig
 from libs.helper import to_timestamp
 from models.model import App, EndUser
 from services.human_input_service import Form, FormNotFoundError, HumanInputService
@@ -28,11 +30,11 @@
 register_schema_models(service_api_ns, HumanInputFormSubmitPayload)
 
 
-def _jsonify_form_definition(form: Form) -> Response:
-    definition_payload = form.get_definition().model_dump()
+def _jsonify_form_definition(form: Form, *, inputs: Sequence[FormInputConfig] = ()) -> Response:
+    definition_payload = form.get_definition().model_dump(mode="json")
     payload = {
         "form_content": definition_payload["rendered_content"],
-        "inputs": definition_payload["inputs"],
+        "inputs": [form_input.model_dump(mode="json") for form_input in inputs],
         "resolved_default_values": stringify_form_default_values(definition_payload["default_values"]),
         "user_actions": definition_payload["user_actions"],
         "expiration_time": to_timestamp(form.expiration_time),
@@ -75,7 +77,8 @@ def get(self, app_model: App, form_token: str):
         _ensure_form_belongs_to_app(form, app_model)
         _ensure_form_is_allowed_for_service_api(form)
         service.ensure_form_active(form)
-        return _jsonify_form_definition(form)
+        inputs = service.resolve_form_inputs(form)
+        return _jsonify_form_definition(form, inputs=inputs)
 
     @service_api_ns.expect(service_api_ns.models[HumanInputFormSubmitPayload.__name__])
     @service_api_ns.doc("submit_human_input_form")

api/controllers/web/__init__.py

@@ -23,6 +23,7 @@
     feature,
     files,
     forgot_password,
+    human_input_file_upload,
     human_input_form,
     login,
     message,
@@ -46,6 +47,7 @@
     "feature",
     "files",
     "forgot_password",
+    "human_input_file_upload",
     "human_input_form",
     "login",
     "message",

api/controllers/web/human_input_file_upload.py

@@ -0,0 +1,181 @@
+import httpx
+from flask import request
+from flask_restx import Resource
+from pydantic import BaseModel, Field, HttpUrl
+
+import services
+from controllers.common import helpers
+from controllers.common.errors import (
+    BlockedFileExtensionError,
+    FileTooLargeError,
+    NoFileUploadedError,
+    RemoteFileUploadError,
+    TooManyFilesError,
+    UnsupportedFileTypeError,
+)
+from controllers.common.schema import register_schema_models
+from controllers.web import web_ns
+from core.helper import ssrf_proxy
+from extensions.ext_database import db
+from fields.file_fields import FileResponse, FileWithSignedUrl
+from graphon.file import helpers as file_helpers
+from libs.exception import BaseHTTPException
+from services.file_service import FileService
+from services.human_input_file_upload_service import (
+    HITL_UPLOAD_TOKEN_PREFIX,
+    HumanInputFileUploadService,
+    InvalidUploadTokenError,
+)
+
+
+class InvalidUploadTokenBadRequestError(BaseHTTPException):
+    error_code = "invalid_upload_token"
+    description = "Invalid upload token."
+    code = 400
+
+
+class InvalidUploadTokenUnauthorizedError(BaseHTTPException):
+    error_code = "invalid_upload_token"
+    description = "Upload token is required."
+    code = 401
+
+
+class InvalidUploadTokenForbiddenError(BaseHTTPException):
+    error_code = "invalid_upload_token"
+    description = "Upload token is invalid or expired."
+    code = 403
+
+
+class HumanInputRemoteFileUploadPayload(BaseModel):
+    url: HttpUrl = Field(description="Remote file URL")
+
+
+register_schema_models(web_ns, HumanInputRemoteFileUploadPayload, FileResponse, FileWithSignedUrl)
+
+
+def _extract_hitl_upload_token() -> str:
+    """Read HITL upload token from Authorization without invoking other bearer auth chains."""
+
+    authorization = request.headers.get("Authorization")
+    if authorization is None:
+        raise InvalidUploadTokenUnauthorizedError()
+
+    parts = authorization.split()
+    if len(parts) != 2:
+        raise InvalidUploadTokenUnauthorizedError()
+
+    scheme, token = parts
+    if scheme.lower() != "bearer":
+        raise InvalidUploadTokenBadRequestError()
+    if not token:
+        raise InvalidUploadTokenUnauthorizedError()
+    if not token.startswith(HITL_UPLOAD_TOKEN_PREFIX):
+        raise InvalidUploadTokenBadRequestError()
+    return token
+
+
+def _validate_context(service: HumanInputFileUploadService, token: str):
+    try:
+        return service.validate_upload_token(token)
+    except InvalidUploadTokenError as exc:
+        raise InvalidUploadTokenForbiddenError() from exc
+
+
+def _parse_local_upload_file():
+    if "file" not in request.files:
+        raise NoFileUploadedError()
+    if len(request.files) > 1:
+        raise TooManyFilesError()
+
+    file = request.files["file"]
+    if not file.filename:
+        from controllers.common.errors import FilenameNotExistsError
+
+        raise FilenameNotExistsError()
+
+    return file
+
+
+@web_ns.route("/form/human_input/files/upload")
+class HumanInputFileUploadApi(Resource):
+    def post(self):
+        """Upload one local file for a HITL human input form."""
+
+        token = _extract_hitl_upload_token()
+        upload_service = HumanInputFileUploadService(db.engine)
+        context = _validate_context(upload_service, token)
+        file = _parse_local_upload_file()
+
+        try:
+            upload_file = FileService(db.engine).upload_file(
+                filename=file.filename or "",
+                content=file.read(),
+                mimetype=file.mimetype,
+                user=context.owner,
+                source=None,
+            )
+        except services.errors.file.FileTooLargeError as file_too_large_error:
+            raise FileTooLargeError(file_too_large_error.description)
+        except services.errors.file.UnsupportedFileTypeError:
+            raise UnsupportedFileTypeError()
+        except services.errors.file.BlockedFileExtensionError as exc:
+            raise BlockedFileExtensionError() from exc
+
+        upload_service.record_upload_file(context=context, file_id=upload_file.id)
+        response = FileResponse.model_validate(upload_file, from_attributes=True)
+        return response.model_dump(mode="json"), 201
+
+
+@web_ns.route("/form/human_input/files/remote-upload")
+class HumanInputRemoteFileUploadApi(Resource):
+    def post(self):
+        """Upload one remote URL file for a HITL human input form."""
+
+        token = _extract_hitl_upload_token()
+        upload_service = HumanInputFileUploadService(db.engine)
+        context = _validate_context(upload_service, token)
+        payload = HumanInputRemoteFileUploadPayload.model_validate(request.get_json(silent=True) or {})
+        url = str(payload.url)
+
+        try:
+            resp = ssrf_proxy.head(url=url)
+            if resp.status_code != httpx.codes.OK:
+                resp = ssrf_proxy.get(url=url, timeout=3, follow_redirects=True)
+            if resp.status_code != httpx.codes.OK:
+                raise RemoteFileUploadError(f"Failed to fetch file from {url}: {resp.text}")
+        except httpx.RequestError as exc:
+            raise RemoteFileUploadError(f"Failed to fetch file from {url}: {str(exc)}")
+
+        file_info = helpers.guess_file_info_from_response(resp)
+        if not FileService.is_file_size_within_limit(extension=file_info.extension, file_size=file_info.size):
+            raise FileTooLargeError()
+
+        content = resp.content if resp.request.method == "GET" else ssrf_proxy.get(url).content
+
+        try:
+            upload_file = FileService(db.engine).upload_file(
+                filename=file_info.filename,
+                content=content,
+                mimetype=file_info.mimetype,
+                user=context.owner,
+                source_url=url,
+            )
+        except services.errors.file.FileTooLargeError as file_too_large_error:
+            raise FileTooLargeError(file_too_large_error.description)
+        except services.errors.file.UnsupportedFileTypeError:
+            raise UnsupportedFileTypeError()
+        except services.errors.file.BlockedFileExtensionError as exc:
+            raise BlockedFileExtensionError() from exc
+
+        upload_service.record_upload_file(context=context, file_id=upload_file.id)
+        payload1 = FileWithSignedUrl(
+            id=upload_file.id,
+            name=upload_file.name,
+            size=upload_file.size,
+            extension=upload_file.extension,
+            url=file_helpers.get_signed_file_url(upload_file_id=upload_file.id),
+            mime_type=upload_file.mime_type,
+            created_by=upload_file.created_by,
+            created_at=int(upload_file.created_at.timestamp()),
+        )
+        return payload1.model_dump(mode="json"), 201