Flowfile 0.5.1__py3-none-any.whl → 0.5.4__py3-none-any.whl

flowfile_core/routes/logs.py

@@ -1,18 +1,19 @@
 import asyncio
 import json
 import time
+from collections.abc import AsyncGenerator
 from pathlib import Path
-from typing import AsyncGenerator
+
 import aiofiles
-from fastapi import APIRouter, HTTPException, Depends
+from fastapi import APIRouter, Depends, HTTPException
 from fastapi.responses import StreamingResponse
 
-from flowfile_core import ServerRun
-from flowfile_core import flow_file_handler
+from flowfile_core import ServerRun, flow_file_handler
+from flowfile_core.auth.jwt import get_current_active_user, get_current_user_from_query
+
 # Core modules
 from flowfile_core.configs import logger
 from flowfile_core.configs.flow_logger import clear_all_flow_logs
-from flowfile_core.auth.jwt import get_current_active_user, get_current_user_from_query
 
 # Schema and models
 from flowfile_core.schemas import schemas
@@ -20,7 +21,7 @@ from flowfile_core.schemas import schemas
 router = APIRouter()
 
 
-@router.post("/clear-logs", tags=['flow_logging'])
+@router.post("/clear-logs", tags=["flow_logging"])
 async def clear_logs(current_user=Depends(get_current_active_user)):
     clear_all_flow_logs()
     return {"message": "All flow logs have been cleared."}
@@ -31,7 +32,7 @@ async def format_sse_message(data: str) -> str:
     return f"data: {json.dumps(data)}\n\n"
 
 
-@router.post("/logs/{flow_id}", tags=['flow_logging'])
+@router.post("/logs/{flow_id}", tags=["flow_logging"])
 async def add_log(flow_id: int, log_message: str):
     """Adds a log message to the log file for a given flow_id."""
     flow = flow_file_handler.get_flow(flow_id)
@@ -41,35 +42,32 @@ async def add_log(flow_id: int, log_message: str):
     return {"message": "Log added successfully"}
 
 
-@router.post("/raw_logs", tags=['flow_logging'])
+@router.post("/raw_logs", tags=["flow_logging"])
 async def add_raw_log(raw_log_input: schemas.RawLogInput):
     """Adds a log message to the log file for a given flow_id."""
-    logger.info('Adding raw logs')
+    logger.info("Adding raw logs")
     flow = flow_file_handler.get_flow(raw_log_input.flowfile_flow_id)
     if not flow:
         raise HTTPException(status_code=404, detail="Flow not found")
     flow.flow_logger.get_log_filepath()
     flow_logger = flow.flow_logger
     flow_logger.get_log_filepath()
-    if raw_log_input.log_type == 'INFO':
-        flow_logger.info(raw_log_input.log_message,
-                         extra=raw_log_input.extra)
-    elif raw_log_input.log_type == 'ERROR':
-        flow_logger.error(raw_log_input.log_message,
-                          extra=raw_log_input.extra)
+    if raw_log_input.log_type == "INFO":
+        flow_logger.info(raw_log_input.log_message, extra=raw_log_input.extra)
+    elif raw_log_input.log_type == "ERROR":
+        flow_logger.error(raw_log_input.log_message, extra=raw_log_input.extra)
     return {"message": "Log added successfully"}
 
 
 async def stream_log_file(
     log_file_path: Path,
     is_running_callable: callable,
-    idle_timeout: int = 60  # timeout in seconds
+    idle_timeout: int = 60,  # timeout in seconds
 ) -> AsyncGenerator[str, None]:
     logger.info(f"Streaming log file: {log_file_path}")
     last_active = time.monotonic()
     try:
-        async with aiofiles.open(log_file_path, "r") as file:
-
+        async with aiofiles.open(log_file_path) as file:
             # Ensure we start at the beginning
             await file.seek(0)
             while is_running_callable():
@@ -78,7 +76,6 @@ async def stream_log_file(
                     yield await format_sse_message("Server is shutting down. Closing connection.")
                     break
 
-
                 line = await file.readline()
                 if line:
                     formatted_message = await format_sse_message(line.strip())
@@ -113,21 +110,17 @@ async def stream_log_file(
         raise HTTPException(status_code=500, detail=f"Error reading log file: {e}")
 
 
-@router.get("/logs/{flow_id}", tags=['flow_logging'])
-async def stream_logs(
-    flow_id: int,
-    idle_timeout: int = 300,
-    current_user=Depends(get_current_user_from_query)
-):
+@router.get("/logs/{flow_id}", tags=["flow_logging"])
+async def stream_logs(flow_id: int, idle_timeout: int = 300, current_user=Depends(get_current_user_from_query)):
     """
     Streams logs for a given flow_id using Server-Sent Events.
     Requires authentication via token in query parameter.
     The connection will close gracefully if the server shuts down.
     """
     logger.info(f"Starting log stream for flow_id: {flow_id} by user: {current_user.username}")
-    await asyncio.sleep(.3)
+    await asyncio.sleep(0.3)
     flow = flow_file_handler.get_flow(flow_id)
-    logger.info('Streaming logs')
+    logger.info("Streaming logs")
     if not flow:
         raise HTTPException(status_code=404, detail="Flow not found")
 
@@ -153,6 +146,5 @@ async def stream_logs(
             "Cache-Control": "no-cache",
             "Connection": "keep-alive",
             "Content-Type": "text/event-stream",
-        }
+        },
     )
-

flowfile_core/routes/public.py

@@ -1,11 +1,53 @@
+import os
+
 from fastapi import APIRouter
 from fastapi.responses import RedirectResponse
+from pydantic import BaseModel
+
+from flowfile_core.auth.secrets import generate_master_key, is_master_key_configured
 
-# Router setup
 router = APIRouter()
 
 
-@router.get("/", tags=['admin'])
+class SetupStatus(BaseModel):
+    """Response model for the setup status endpoint."""
+
+    setup_required: bool
+    master_key_configured: bool
+    mode: str
+
+
+class GeneratedKey(BaseModel):
+    """Response model for the generate key endpoint."""
+
+    key: str
+    instructions: str
+
+
+@router.get("/", tags=["admin"])
 async def docs_redirect():
-    """ Redirects to the documentation page."""
-    return RedirectResponse(url='/docs')
+    """Redirects to the documentation page."""
+    return RedirectResponse(url="/docs")
+
+
+@router.get("/health/status", response_model=SetupStatus, tags=["health"])
+async def get_setup_status():
+    """Get the current setup status of the application."""
+    mode = os.environ.get("FLOWFILE_MODE", "electron")
+    master_key_ok = is_master_key_configured()
+    return SetupStatus(
+        setup_required=not master_key_ok,
+        master_key_configured=master_key_ok,
+        mode=mode,
+    )
+
+
+@router.post("/setup/generate-key", response_model=GeneratedKey, tags=["setup"])
+async def generate_key():
+    """Generate a new master encryption key."""
+    key = generate_master_key()
+    instructions = (
+        f'Add to your .env file:\n  FLOWFILE_MASTER_KEY="{key}"\n\n'
+        "Then restart: docker-compose down && docker-compose up"
+    )
+    return GeneratedKey(key=key, instructions=instructions)

flowfile_core/routes/routes.py

@@ -29,7 +29,9 @@ from flowfile_core.database.connection import get_db
 from flowfile_core.fileExplorer.funcs import (
     SecureFileExplorer,
     FileInfo,
-    get_files_from_directory
+    get_files_from_directory,
+    validate_file_path,
+    validate_path_under_cwd,
 )
 from flowfile_core.flowfile.analytics.analytics_processor import AnalyticsProcessor
 from flowfile_core.flowfile.code_generator.code_generator import export_flow_to_polars
@@ -76,14 +78,19 @@ async def upload_file(file: UploadFile = File(...)) -> JSONResponse:
     Returns:
         A JSON response containing the filename and the path where it was saved.
     """
-    file_location = f"uploads/{file.filename}"
+    safe_name = Path(file.filename).name.replace("..", "")
+    if not safe_name:
+        raise HTTPException(400, 'Invalid filename')
+    uploads_dir = Path("uploads")
+    uploads_dir.mkdir(exist_ok=True)
+    file_location = uploads_dir / safe_name
     with open(file_location, "wb+") as file_object:
         file_object.write(file.file.read())
-    return JSONResponse(content={"filename": file.filename, "filepath": file_location})
+    return JSONResponse(content={"filename": safe_name, "filepath": str(file_location)})
 
 
-@router.get('/files/files_in_local_directory/', response_model=List[FileInfo], tags=['file manager'])
-async def get_local_files(directory: str) -> List[FileInfo]:
+@router.get('/files/files_in_local_directory/', response_model=list[FileInfo], tags=['file manager'])
+async def get_local_files(directory: str) -> list[FileInfo]:
     """Retrieves a list of files from a specified local directory.
 
     Args:
@@ -94,10 +101,21 @@ async def get_local_files(directory: str) -> List[FileInfo]:
 
     Raises:
         HTTPException: 404 if the directory does not exist.
+        HTTPException: 403 if access is denied (path outside sandbox).
     """
-    files = get_files_from_directory(directory)
-    if files is None:
+    # Validate path is within sandbox before proceeding
+    explorer = SecureFileExplorer(
+        start_path=storage.user_data_directory,
+        sandbox_root=storage.user_data_directory
+    )
+    validated_path = explorer.get_absolute_path(directory)
+    if validated_path is None:
+        raise HTTPException(403, 'Access denied or directory does not exist')
+    if not validated_path.exists() or not validated_path.is_dir():
         raise HTTPException(404, 'Directory does not exist')
+    files = get_files_from_directory(str(validated_path), sandbox_root=storage.user_data_directory)
+    if files is None:
+        raise HTTPException(403, 'Access denied or directory does not exist')
     return files
 
 
@@ -179,9 +197,9 @@ def create_directory(new_directory: input_schema.NewDirectory) -> bool:
         raise error
 
 
-@router.post('/flow/register/', tags=['editor'])
-def register_flow(flow_data: schemas.FlowSettings) -> int:
-    """Registers a new flow session with the application.
+@router.post("/flow/register/", tags=["editor"])
+def register_flow(flow_data: schemas.FlowSettings, current_user=Depends(get_current_active_user)) -> int:
+    """Registers a new flow session with the application for the current user.
 
     Args:
         flow_data: The `FlowSettings` for the new flow.
@@ -189,13 +207,15 @@ def register_flow(flow_data: schemas.FlowSettings) -> int:
     Returns:
         The ID of the newly registered flow.
     """
-    return flow_file_handler.register_flow(flow_data)
+    user_id = current_user.id if current_user else None
+    return flow_file_handler.register_flow(flow_data, user_id=user_id)
 
 
-@router.get('/active_flowfile_sessions/', response_model=List[schemas.FlowSettings])
-async def get_active_flow_file_sessions() -> List[schemas.FlowSettings]:
-    """Retrieves a list of all currently active flow sessions."""
-    return [flf.flow_settings for flf in flow_file_handler.flowfile_flows]
+@router.get("/active_flowfile_sessions/", response_model=list[schemas.FlowSettings])
+async def get_active_flow_file_sessions(current_user=Depends(get_current_active_user)) -> list[schemas.FlowSettings]:
+    """Retrieves a list of all currently active flow sessions for the current user."""
+    user_id = current_user.id if current_user else None
+    return [flf.flow_settings for flf in flow_file_handler.get_user_flows(user_id)]
 
 
 @router.post("/node/trigger_fetch_data", tags=['editor'])
@@ -466,8 +486,8 @@ def get_generated_code(flow_id: int) -> str:
     return export_flow_to_polars(flow)
 
 
-@router.post('/editor/create_flow/', tags=['editor'])
-def create_flow(flow_path: str = None, name: str = None):
+@router.post("/editor/create_flow/", tags=["editor"])
+def create_flow(flow_path: str = None, name: str = None, current_user=Depends(get_current_active_user)):
     """Creates a new, empty flow file at the specified path and registers a session for it."""
     if flow_path is not None and name is None:
         name = Path(flow_path).stem
@@ -481,16 +501,20 @@ def create_flow(flow_path: str = None, name: str = None):
         elif name not in flow_path and not (name.endswith(".yaml") or name.endswith(".yml")):
             flow_path = str(Path(flow_path) / (name + ".yaml"))
     if flow_path is not None:
+        # Validate path is within allowed sandbox
+        flow_path = validate_path_under_cwd(flow_path)
         flow_path_ref = Path(flow_path)
         if not flow_path_ref.parent.exists():
-            raise HTTPException(422, 'The directory does not exist')
-    return flow_file_handler.add_flow(name=name, flow_path=flow_path)
+            raise HTTPException(422, "The directory does not exist")
+    user_id = current_user.id if current_user else None
+    return flow_file_handler.add_flow(name=name, flow_path=flow_path, user_id=user_id)
 
 
-@router.post('/editor/close_flow/', tags=['editor'])
-def close_flow(flow_id: int) -> None:
-    """Closes an active flow session."""
-    flow_file_handler.delete_flow(flow_id)
+@router.post("/editor/close_flow/", tags=["editor"])
+def close_flow(flow_id: int, current_user=Depends(get_current_active_user)) -> None:
+    """Closes an active flow session for the current user."""
+    user_id = current_user.id if current_user else None
+    flow_file_handler.delete_flow(flow_id, user_id=user_id)
 
 
 @router.post('/update_settings/', tags=['transform'])
@@ -534,7 +558,15 @@ def add_generic_settings(input_data: Dict[str, Any], node_type: str, current_use
 def get_list_of_saved_flows(path: str):
     """Scans a directory for saved flow files (`.flowfile`)."""
     try:
-        return get_files_from_directory(path, types=['flowfile'])
+        # Validate path is within sandbox before proceeding
+        explorer = SecureFileExplorer(
+            start_path=storage.user_data_directory,
+            sandbox_root=storage.user_data_directory
+        )
+        validated_path = explorer.get_absolute_path(path)
+        if validated_path is None:
+            return []
+        return get_files_from_directory(str(validated_path), types=['flowfile'], sandbox_root=storage.user_data_directory)
     except:
         return []
 
@@ -596,18 +628,21 @@ async def get_downstream_node_ids(flow_id: int, node_id: int) -> List[int]:
     return list(node.get_all_dependent_node_ids())
 
 
-@router.get('/import_flow/', tags=['editor'], response_model=int)
-def import_saved_flow(flow_path: str) -> int:
-    """Imports a flow from a saved `.yaml` and registers it as a new session."""
-    flow_path = Path(flow_path)
-    if not flow_path.exists():
-        raise HTTPException(404, 'File not found')
-    return flow_file_handler.import_flow(flow_path)
+@router.get("/import_flow/", tags=["editor"], response_model=int)
+def import_saved_flow(flow_path: str, current_user=Depends(get_current_active_user)) -> int:
+    """Imports a flow from a saved `.yaml` and registers it as a new session for the current user."""
+    validated_path = validate_path_under_cwd(flow_path)
+    if not os.path.exists(validated_path):
+        raise HTTPException(404, "File not found")
+    user_id = current_user.id if current_user else None
+    return flow_file_handler.import_flow(Path(validated_path), user_id=user_id)
 
 
 @router.get('/save_flow', tags=['editor'])
 def save_flow(flow_id: int, flow_path: str = None):
     """Saves the current state of a flow to a `.yaml`."""
+    if flow_path is not None:
+        flow_path = validate_path_under_cwd(flow_path)
     flow = flow_file_handler.get_flow(flow_id)
     flow.save_flow(flow_path=flow_path)
 
@@ -671,10 +706,11 @@ async def get_instant_function_result(flow_id: int, node_id: int, func_string: s
         raise HTTPException(status_code=500, detail=str(e))
 
 
-@router.get('/api/get_xlsx_sheet_names', tags=['excel_reader'], response_model=List[str])
-async def get_excel_sheet_names(path: str) -> List[str] | None:
+@router.get('/api/get_xlsx_sheet_names', tags=['excel_reader'], response_model=list[str])
+async def get_excel_sheet_names(path: str) -> list[str] | None:
     """Retrieves the sheet names from an Excel file."""
-    sheet_names = excel_file_manager.get_sheet_names(path)
+    validated_path = validate_path_under_cwd(path)
+    sheet_names = excel_file_manager.get_sheet_names(validated_path)
     if sheet_names:
         return sheet_names
     else:

flowfile_core/routes/secrets.py

@@ -5,8 +5,8 @@ This router provides secure endpoints for creating, retrieving, and deleting
 sensitive credentials for the authenticated user. Secrets are encrypted before
 being stored and are associated with the user's ID.
 """
+
 import os
-from typing import List
 
 from fastapi import APIRouter, Depends, HTTPException
 from sqlalchemy.orm import Session
@@ -15,12 +15,13 @@ from flowfile_core.auth.jwt import get_current_active_user
 from flowfile_core.auth.models import Secret, SecretInput
 from flowfile_core.database import models as db_models
 from flowfile_core.database.connection import get_db
-from flowfile_core.secret_manager.secret_manager import store_secret, delete_secret as delete_secret_action
+from flowfile_core.secret_manager.secret_manager import delete_secret as delete_secret_action
+from flowfile_core.secret_manager.secret_manager import store_secret
 
 router = APIRouter(dependencies=[Depends(get_current_active_user)])
 
 
-@router.get("/secrets", response_model=List[Secret])
+@router.get("/secrets", response_model=list[Secret])
 async def get_secrets(current_user=Depends(get_current_active_user), db: Session = Depends(get_db)):
     """Retrieves all secret names for the currently authenticated user.
 
@@ -42,18 +43,15 @@ async def get_secrets(current_user=Depends(get_current_active_user), db: Session
     # Prepare response model (without decrypting)
     secrets = []
     for db_secret in db_secrets:
-        secrets.append(Secret(
-            name=db_secret.name,
-            value=db_secret.encrypted_value,
-            user_id=str(db_secret.user_id)
-        ))
+        secrets.append(Secret(name=db_secret.name, value=db_secret.encrypted_value, user_id=str(db_secret.user_id)))
 
     return secrets
 
 
 @router.post("/secrets", response_model=Secret)
-async def create_secret(secret: SecretInput, current_user=Depends(get_current_active_user),
-                        db: Session = Depends(get_db)) -> Secret:
+async def create_secret(
+    secret: SecretInput, current_user=Depends(get_current_active_user), db: Session = Depends(get_db)
+) -> Secret:
     """Creates a new secret for the authenticated user.
 
     The secret value is encrypted before being stored in the database. A secret
@@ -73,10 +71,11 @@ async def create_secret(secret: SecretInput, current_user=Depends(get_current_ac
     # Get user ID
     user_id = 1 if os.environ.get("FLOWFILE_MODE") == "electron" else current_user.id
 
-    existing_secret = db.query(db_models.Secret).filter(
-        db_models.Secret.user_id == user_id,
-        db_models.Secret.name == secret.name
-    ).first()
+    existing_secret = (
+        db.query(db_models.Secret)
+        .filter(db_models.Secret.user_id == user_id, db_models.Secret.name == secret.name)
+        .first()
+    )
 
     if existing_secret:
         raise HTTPException(status_code=400, detail="Secret with this name already exists")
@@ -87,8 +86,9 @@ async def create_secret(secret: SecretInput, current_user=Depends(get_current_ac
 
 
 @router.get("/secrets/{secret_name}", response_model=Secret)
-async def get_secret(secret_name: str,
-                     current_user=Depends(get_current_active_user), db: Session = Depends(get_db)) -> Secret:
+async def get_secret(
+    secret_name: str, current_user=Depends(get_current_active_user), db: Session = Depends(get_db)
+) -> Secret:
     """Retrieves a specific secret by name for the authenticated user.
 
     Note: This endpoint returns the secret name and metadata but does not
@@ -109,24 +109,22 @@ async def get_secret(secret_name: str,
     user_id = 1 if os.environ.get("FLOWFILE_MODE") == "electron" else current_user.id
 
     # Get secret from database
-    db_secret = db.query(db_models.Secret).filter(
-        db_models.Secret.user_id == user_id,
-        db_models.Secret.name == secret_name
-    ).first()
+    db_secret = (
+        db.query(db_models.Secret)
+        .filter(db_models.Secret.user_id == user_id, db_models.Secret.name == secret_name)
+        .first()
+    )
 
     if not db_secret:
         raise HTTPException(status_code=404, detail="Secret not found")
 
-    return Secret(
-        name=db_secret.name,
-        value=db_secret.encrypted_value,
-        user_id=str(db_secret.user_id)
-    )
+    return Secret(name=db_secret.name, value=db_secret.encrypted_value, user_id=str(db_secret.user_id))
 
 
 @router.delete("/secrets/{secret_name}", status_code=204)
-async def delete_secret(secret_name: str, current_user=Depends(get_current_active_user),
-                        db: Session = Depends(get_db)) -> None:
+async def delete_secret(
+    secret_name: str, current_user=Depends(get_current_active_user), db: Session = Depends(get_db)
+) -> None:
     """Deletes a secret by name for the authenticated user.
 
     Args: