enterprise/README.md
[!WARNING] This software is licensed under the Polyform Free Trial License. This is NOT an open source license. Usage is limited to 30 days per calendar year without a commercial license. If you would like to use it beyond 30 days, please contact us.
[!WARNING] This is a work in progress and may contain bugs, incomplete features, or breaking changes.
This directory contains the enterprise server used by OpenHands Cloud. The official, public version of OpenHands Cloud is available at app.all-hands.dev.
You may also want to check out the MIT-licensed OpenHands
The code in /enterprise builds on top of OpenHands (MIT-licensed), extending its functionality. The enterprise code is entangled with OpenHands in two ways:
Enterprise stacks on top of OpenHands. For example, the middleware in enterprise is stacked right on top of the middlewares in OpenHands. In SAAS, the middleware from BOTH repos will be present and running (which can sometimes cause conflicts)
Enterprise overrides the implementation in OpenHands (only one is present at a time). For example, the server config SaasServerConfig overrides ServerConfig in OpenHands. This is done through dynamic imports (see here)
Key areas that change on SAAS are
| Aspect | OpenHands | Enterprise |
|---|---|---|
| Authentication Method | User adds a personal access token (PAT) through the UI | User performs OAuth through the UI. The GitHub app provides a short-lived access token and refresh token |
| Token Storage | PAT is stored in Settings | Token is stored in GithubTokenManager (a file store in our backend) |
| Authenticated status | We simply check if token exists in Settings | We issue a signed cookie with github_user_id during OAuth, so subsequent requests with the cookie can be considered authenticated |
Note that in the future, authentication will happen via keycloak. All modifications for authentication will happen in enterprise.
The github service is responsible for interacting with Github APIs. As a consequence, it uses the user's token and refreshes it if need be
| Aspect | OpenHands | Enterprise |
|---|---|---|
| Class used | GitHubService | SaaSGitHubService |
| Token used | User's PAT fetched from Settings | User's token fetched from GitHubTokenManager |
| Refresh functionality | N/A; user provides PAT for the app | Uses the GitHubTokenManager to refresh |
NOTE: in the future we will simply replace the GithubTokenManager with keycloak. The SaaSGithubService should interact with keycloack instead.
openhands/server uses request.state.github_token for the entire appopenhands/server AND enterprise/server depend on it and completely ignore request.state.github_token (token is fetched from GithubTokenManager instead)Note that introducing GitHub User ID in OpenHands, for instance, will cause large breakages.