MindsDB 25.8.3.0__py3-none-any.whl → 25.9.1.0__py3-none-any.whl

mindsdb/api/common/middleware.py

@@ -0,0 +1,106 @@
+from starlette.middleware.base import BaseHTTPMiddleware
+from starlette.responses import JSONResponse
+from starlette.requests import Request
+from http import HTTPStatus
+from typing import Optional
+import secrets
+import hmac
+import hashlib
+import os
+import traceback
+
+from mindsdb.utilities import log
+from mindsdb.utilities.config import config
+
+logger = log.getLogger(__name__)
+
+SECRET_KEY = os.environ.get("AUTH_SECRET_KEY") or secrets.token_urlsafe(32)
+# We store token (fingerprints) in memory, which means everyone is logged out if the process restarts
+TOKENS = []
+
+
+def get_pat_fingerprint(token: str) -> str:
+    """Hash the token with HMAC-SHA256 using secret_key as pepper."""
+    return hmac.new(SECRET_KEY.encode(), token.encode(), hashlib.sha256).hexdigest()
+
+
+def generate_pat() -> str:
+    logger.debug("Generating new auth token")
+    token = "pat_" + secrets.token_urlsafe(32)
+    TOKENS.append(get_pat_fingerprint(token))
+    return token
+
+
+def verify_pat(raw_token: str) -> bool:
+    """Verify if the raw_token matches a stored fingerprint.
+    Returns token_id if valid, None if not.
+    """
+    if not raw_token:
+        return False
+    fp = get_pat_fingerprint(raw_token)
+    for stored_fp in TOKENS:
+        if hmac.compare_digest(fp, stored_fp):
+            return True
+    return False
+
+
+def revoke_pat(raw_token: str) -> bool:
+    """Revoke raw_token from active tokens"""
+    if not raw_token:
+        return False
+    fp = get_pat_fingerprint(raw_token)
+    for stored_fp in TOKENS:
+        if hmac.compare_digest(fp, stored_fp):
+            TOKENS.remove(stored_fp)
+            return True
+    return False
+
+
+class PATAuthMiddleware(BaseHTTPMiddleware):
+    def _extract_bearer(self, request: Request) -> Optional[str]:
+        h = request.headers.get("Authorization")
+        if not h or not h.startswith("Bearer "):
+            return None
+        return h.split(" ", 1)[1].strip() or None
+
+    async def dispatch(self, request: Request, call_next):
+        if config.get("auth", {}).get("http_auth_enabled", False) is False:
+            return await call_next(request)
+
+        token = self._extract_bearer(request)
+        if not token or not verify_pat(token):
+            return JSONResponse({"detail": "Unauthorized"}, status_code=HTTPStatus.UNAUTHORIZED)
+
+        request.state.user = config["auth"].get("username")
+        return await call_next(request)
+
+
+# Used by mysql and postgres protocols
+def check_auth(username, password, scramble_func, salt, company_id, config):
+    try:
+        hardcoded_user = config["auth"].get("username")
+        hardcoded_password = config["auth"].get("password")
+        if hardcoded_password is None:
+            hardcoded_password = ""
+        hardcoded_password_hash = scramble_func(hardcoded_password, salt)
+        hardcoded_password = hardcoded_password.encode()
+
+        if password is None:
+            password = ""
+        if isinstance(password, str):
+            password = password.encode()
+
+        if username != hardcoded_user:
+            logger.warning(f"Check auth, user={username}: user mismatch")
+            return {"success": False}
+
+        if password != hardcoded_password and password != hardcoded_password_hash:
+            logger.warning(f"check auth, user={username}: password mismatch")
+            return {"success": False}
+
+        logger.info(f"Check auth, user={username}: Ok")
+        return {"success": True, "username": username}
+    except Exception as e:
+        logger.error(f"Check auth, user={username}: ERROR")
+        logger.error(e)
+        logger.error(traceback.format_exc())

mindsdb/api/http/initialize.py

@@ -1,5 +1,4 @@
 import os
-import secrets
 import mimetypes
 import threading
 import traceback
@@ -27,7 +26,7 @@ from mindsdb.api.http.namespaces.chatbots import ns_conf as chatbots_ns
 from mindsdb.api.http.namespaces.jobs import ns_conf as jobs_ns
 from mindsdb.api.http.namespaces.config import ns_conf as conf_ns
 from mindsdb.api.http.namespaces.databases import ns_conf as databases_ns
-from mindsdb.api.http.namespaces.default import ns_conf as default_ns, check_auth
+from mindsdb.api.http.namespaces.default import ns_conf as default_ns
 from mindsdb.api.http.namespaces.file import ns_conf as file_ns
 from mindsdb.api.http.namespaces.handlers import ns_conf as handlers_ns
 from mindsdb.api.http.namespaces.knowledge_bases import ns_conf as knowledge_bases_ns
@@ -53,6 +52,7 @@ from mindsdb.utilities.json_encoder import CustomJSONProvider
 from mindsdb.utilities.ps import is_pid_listen_port, wait_func_is_true
 from mindsdb.utilities.sentry import sentry_sdk  # noqa: F401
 from mindsdb.utilities.otel import trace  # noqa: F401
+from mindsdb.api.common.middleware import verify_pat
 
 logger = log.getLogger(__name__)
 
@@ -314,12 +314,19 @@ def initialize_app(config, no_studio):
         ctx.set_default()
         config = Config()
 
+        h = request.headers.get("Authorization")
+        if not h or not h.startswith("Bearer "):
+            bearer = None
+        else:
+            bearer = h.split(" ", 1)[1].strip() or None
+
         # region routes where auth is required
         if (
             config["auth"]["http_auth_enabled"] is True
             and any(request.path.startswith(f"/api{ns.path}") for ns in protected_namespaces)
-            and check_auth() is False
+            and verify_pat(bearer) is False
         ):
+            logger.debug(f"Auth failed for path {request.path}")
             return http_error(
                 HTTPStatus.UNAUTHORIZED,
                 "Unauthorized",
@@ -340,29 +347,23 @@ def initialize_app(config, no_studio):
         except Exception:
             user_id = 0
 
-        try:
-            session_id = request.cookies.get("session")
-        except Exception:
-            session_id = "unknown"
-
         if company_id is not None:
             try:
                 company_id = int(company_id)
             except Exception as e:
-                logger.error(f"Cloud not parse company id: {company_id} | exception: {e}")
+                logger.error(f"Could not parse company id: {company_id} | exception: {e}")
                 company_id = None
 
         if user_class is not None:
             try:
                 user_class = int(user_class)
             except Exception as e:
-                logger.error(f"Cloud not parse user_class: {user_class} | exception: {e}")
+                logger.error(f"Could not parse user_class: {user_class} | exception: {e}")
                 user_class = 0
         else:
             user_class = 0
 
         ctx.user_id = user_id
-        ctx.session_id = session_id
         ctx.company_id = company_id
         ctx.user_class = user_class
         ctx.email_confirmed = email_confirmed
@@ -394,14 +395,11 @@ def initialize_flask(config, init_static_thread, no_studio):
     FlaskInstrumentor().instrument_app(app)
     RequestsInstrumentor().instrument()
 
-    app.config["SECRET_KEY"] = os.environ.get("FLASK_SECRET_KEY", secrets.token_hex(32))
-    app.config["SESSION_COOKIE_NAME"] = "session"
-    app.config["PERMANENT_SESSION_LIFETIME"] = config["auth"]["http_permanent_session_lifetime"]
     app.config["SEND_FILE_MAX_AGE_DEFAULT"] = 60
     app.config["SWAGGER_HOST"] = "http://localhost:8000/mindsdb"
     app.json = CustomJSONProvider()
 
-    authorizations = {"apikey": {"type": "session", "in": "query", "name": "session"}}
+    authorizations = {"apikey": {"type": "apiKey", "in": "header", "name": "Authorization"}}
 
     logger.debug("Creating swagger API..")
     api = Swagger_Api(

mindsdb/api/http/namespaces/auth.py

@@ -4,7 +4,7 @@ import time
 import urllib
 
 import requests
-from flask import redirect, request, session, url_for
+from flask import redirect, request, url_for
 from flask_restx import Resource
 
 from mindsdb.api.http.namespaces.configs.auth import ns_conf
@@ -21,9 +21,7 @@ def get_access_token() -> str:
     Returns:
         str: token
     """
-    return (
-        Config().get("auth", {}).get("oauth", {}).get("tokens", {}).get("access_token")
-    )
+    return Config().get("auth", {}).get("oauth", {}).get("tokens", {}).get("access_token")
 
 
 def request_user_info(access_token: str = None) -> dict:
@@ -58,7 +56,7 @@ def request_user_info(access_token: str = None) -> dict:
 @ns_conf.hide
 class Auth(Resource):
     @ns_conf.doc(params={"code": "authentification code"})
-    @api_endpoint_metrics('GET', '/auth/code')
+    @api_endpoint_metrics("GET", "/auth/code")
     def get(self):
         """callback from auth server if authentification is successful"""
         config = Config()
@@ -72,9 +70,7 @@ class Auth(Resource):
         client_id = oauth_meta["client_id"]
         client_secret = oauth_meta["client_secret"]
         auth_server = oauth_meta["server_host"]
-        client_basic = base64.b64encode(
-            f"{client_id}:{client_secret}".encode()
-        ).decode()
+        client_basic = base64.b64encode(f"{client_id}:{client_secret}".encode()).decode()
 
         redirect_uri = f"https://{public_hostname}{request.path}"
         response = requests.post(
@@ -115,7 +111,7 @@ class Auth(Resource):
                     "public_hostname": public_hostname,
                     "ami_id": aws_meta_data.get("ami-id"),
                 },
-                headers={"Authorization": f'Bearer {tokens["access_token"]}'},
+                headers={"Authorization": f"Bearer {tokens['access_token']}"},
                 timeout=5,
             )
             if resp.status_code != 200:
@@ -123,10 +119,6 @@ class Auth(Resource):
         except Exception as e:
             logger.warning(f"Cant't send request to cloud server: {e}")
 
-        session["username"] = user_data["name"]
-        session["auth_provider"] = "cloud"
-        session.permanent = True
-
         if request.path.endswith("/auth/callback/cloud_home"):
             return redirect(f"https://{auth_server}")
         else:
@@ -140,7 +132,7 @@ class CloudLoginRoute(Resource):
         responses={302: "Redirect to auth server"},
         params={"location": "final redirection should lead to that location"},
     )
-    @api_endpoint_metrics('GET', '/auth/cloud_login')
+    @api_endpoint_metrics("GET", "/auth/cloud_login")
     def get(self):
         """redirect to cloud login form"""
         location = request.args.get("location")

mindsdb/api/http/namespaces/config.py

@@ -32,8 +32,6 @@ class GetConfig(Resource):
             value = config.get(key)
             if value is not None:
                 resp[key] = value
-        if "a2a" in config["api"]:
-            resp["a2a"] = config["api"]["a2a"]
         return resp
 
     @ns_conf.doc("put_config")

mindsdb/api/http/namespaces/default.py

@@ -1,6 +1,4 @@
-import time
-
-from flask import request, session
+from flask import request
 from flask_restx import Resource
 from flask_restx import fields
 
@@ -10,143 +8,113 @@ from mindsdb.api.http.utils import http_error
 from mindsdb.metrics.metrics import api_endpoint_metrics
 from mindsdb.utilities.config import Config
 from mindsdb.utilities import log
+from mindsdb.api.common.middleware import generate_pat, revoke_pat, verify_pat
 
 
 logger = log.getLogger(__name__)
 
 
-def check_auth() -> bool:
-    ''' checking whether current user is authenticated
-
-        Returns:
-            bool: True if user authentication is approved
-    '''
-    config = Config()
-    if config['auth']['http_auth_enabled'] is False:
-        return True
-
-    if config['auth'].get('provider') == 'cloud':
-        if isinstance(session.get('username'), str) is False:
-            return False
-
-        if config['auth']['oauth']['tokens']['expires_at'] < time.time():
-            return False
-
-        return True
-
-    return session.get('username') == config['auth']['username']
-
-
-@ns_conf.route('/login', methods=['POST'])
+@ns_conf.route("/login", methods=["POST"])
 class LoginRoute(Resource):
     @ns_conf.doc(
-        responses={
-            200: 'Success',
-            400: 'Error in username or password',
-            401: 'Invalid username or password'
-        },
-        body=ns_conf.model('request_login', {
-            'username': fields.String(description='Username'),
-            'password': fields.String(description='Password')
-        })
+        responses={200: "Success", 400: "Error in username or password", 401: "Invalid username or password"},
+        body=ns_conf.model(
+            "request_login",
+            {"username": fields.String(description="Username"), "password": fields.String(description="Password")},
+        ),
     )
-    @api_endpoint_metrics('POST', '/default/login')
+    @api_endpoint_metrics("POST", "/default/login")
     def post(self):
-        ''' Check user's credentials and creates a session
-        '''
-        username = request.json.get('username')
-        password = request.json.get('password')
+        """Check user's credentials and creates a session"""
+        username = request.json.get("username")
+        password = request.json.get("password")
         if (
-            isinstance(username, str) is False or len(username) == 0
-            or isinstance(password, str) is False or len(password) == 0
+            isinstance(username, str) is False
+            or len(username) == 0
+            or isinstance(password, str) is False
+            or len(password) == 0
         ):
-            return http_error(
-                400, 'Error in username or password',
-                'Username and password should be string'
-            )
+            return http_error(400, "Error in username or password", "Username and password should be string")
 
         config = Config()
-        inline_username = config['auth']['username']
-        inline_password = config['auth']['password']
+        inline_username = config["auth"]["username"]
+        inline_password = config["auth"]["password"]
 
-        if (
-            username != inline_username
-            or password != inline_password
-        ):
-            return http_error(
-                401, 'Forbidden',
-                'Invalid username or password'
-            )
+        if username != inline_username or password != inline_password:
+            return http_error(401, "Forbidden", "Invalid username or password")
 
-        session.clear()
-        session['username'] = username
-        session.permanent = True
+        logger.info(f"User '{username}' logged in successfully")
 
-        return '', 200
+        return {"token": generate_pat()}, 200
 
 
-@ns_conf.route('/logout', methods=['POST'])
+@ns_conf.route("/logout", methods=["POST"])
 class LogoutRoute(Resource):
-    @ns_conf.doc(
-        responses={
-            200: 'Success'
-        }
-    )
-    @api_endpoint_metrics('POST', '/default/logout')
+    @ns_conf.doc(responses={200: "Success"})
+    @api_endpoint_metrics("POST", "/default/logout")
     def post(self):
-        session.clear()
-        return '', 200
+        # We can't forcibly log out a user with the
+        h = request.headers.get("Authorization")
+        if not h or not h.startswith("Bearer "):
+            bearer = None
+        else:
+            bearer = h.split(" ", 1)[1].strip() or None
+        revoke_pat(bearer)
+        return "", 200
 
 
-@ns_conf.route('/status')
+@ns_conf.route("/status")
 class StatusRoute(Resource):
     @ns_conf.doc(
-        responses={
-            200: 'Success'
-        },
-        model=ns_conf.model('response_status', {
-            'environment': fields.String(description='The name of current environment: cloud, local or other'),
-            'mindsdb_version': fields.String(description='Current version of mindsdb'),
-            'auth': fields.Nested(
-                ns_conf.model('response_status_auth', {
-                    'confirmed': fields.Boolean(description='is current user authenticated'),
-                    'required': fields.Boolean(description='is authenticated required'),
-                    'provider': fields.Boolean(description='current authenticated provider: local of 3d-party')
-                })
-            )
-        })
+        responses={200: "Success"},
+        model=ns_conf.model(
+            "response_status",
+            {
+                "environment": fields.String(description="The name of current environment: cloud, local or other"),
+                "mindsdb_version": fields.String(description="Current version of mindsdb"),
+                "auth": fields.Nested(
+                    ns_conf.model(
+                        "response_status_auth",
+                        {
+                            "confirmed": fields.Boolean(description="is current user authenticated"),
+                            "required": fields.Boolean(description="is authenticated required"),
+                            "provider": fields.Boolean(description="current authenticated provider: local of 3d-party"),
+                        },
+                    )
+                ),
+            },
+        ),
     )
-    @api_endpoint_metrics('GET', '/default/status')
+    @api_endpoint_metrics("GET", "/default/status")
     def get(self):
-        ''' returns auth and environment data
-        '''
-        environment = 'local'
+        """returns auth and environment data"""
+        environment = "local"
         config = Config()
 
-        environment = config.get('environment')
+        environment = config.get("environment")
         if environment is None:
-            if config.get('cloud', False):
-                environment = 'cloud'
-            elif config.get('aws_marketplace', False):
-                environment = 'aws_marketplace'
+            if config.get("cloud", False):
+                environment = "cloud"
+            elif config.get("aws_marketplace", False):
+                environment = "aws_marketplace"
             else:
-                environment = 'local'
+                environment = "local"
 
-        auth_provider = 'disabled'
-        if config['auth']['http_auth_enabled'] is True:
-            if config['auth'].get('provider') is not None:
-                auth_provider = config['auth'].get('provider')
+        auth_provider = "disabled"
+        if config["auth"]["http_auth_enabled"] is True:
+            if config["auth"].get("provider") is not None:
+                auth_provider = config["auth"].get("provider")
             else:
-                auth_provider = 'local'
+                auth_provider = "local"
 
         resp = {
-            'mindsdb_version': mindsdb_version,
-            'environment': environment,
-            'auth': {
-                'confirmed': check_auth(),
-                'http_auth_enabled': config['auth']['http_auth_enabled'],
-                'provider': auth_provider
-            }
+            "mindsdb_version": mindsdb_version,
+            "environment": environment,
+            "auth": {
+                "confirmed": verify_pat(request.headers.get("Authorization", "").replace("Bearer ", "")),
+                "http_auth_enabled": config["auth"]["http_auth_enabled"],
+                "provider": auth_provider,
+            },
         }
 
         return resp

mindsdb/api/http/start.py

@@ -1,8 +1,8 @@
 import gc
+
 gc.disable()
 
 from flask import Flask
-from waitress import serve
 
 from mindsdb.api.http.initialize import initialize_app
 from mindsdb.interfaces.storage import db
@@ -10,6 +10,16 @@ from mindsdb.utilities import log
 from mindsdb.utilities.config import config
 from mindsdb.utilities.functions import init_lexer_parsers
 from mindsdb.integrations.libs.ml_exec_base import process_cache
+from mindsdb.api.common.middleware import PATAuthMiddleware
+
+
+from starlette.applications import Starlette
+from starlette.routing import Mount
+from starlette.middleware.wsgi import WSGIMiddleware
+import uvicorn
+
+from mindsdb.api.a2a import get_a2a_app
+from mindsdb.api.mcp import get_mcp_app
 
 gc.enable()
 
@@ -23,50 +33,21 @@ def start(verbose, no_studio, app: Flask = None):
     if app is None:
         app = initialize_app(config, no_studio)
 
-    port = config['api']['http']['port']
-    host = config['api']['http']['host']
-    server_type = config['api']['http']['server']['type']
-    server_config = config['api']['http']['server']['config']
-
+    port = config["api"]["http"]["port"]
+    host = config["api"]["http"]["host"]
     process_cache.init()
 
-    if server_type == "waitress":
-        logger.debug("Serving HTTP app with waitress...")
-        serve(
-            app,
-            host='*' if host in ('', '0.0.0.0') else host,
-            port=port,
-            **server_config
-        )
-    elif server_type == "flask":
-        logger.debug("Serving HTTP app with flask...")
-        # that will 'disable access' log in console
-
-        app.run(debug=False, port=port, host=host, **server_config)
-    elif server_type == 'gunicorn':
-        try:
-            from mindsdb.api.http.gunicorn_wrapper import StandaloneApplication
-        except ImportError:
-            logger.error(
-                "Gunicorn server is not available by default. If you wish to use it, please install 'gunicorn'"
-            )
-            return
-
-        def post_fork(arbiter, worker):
-            db.engine.dispose()
+    routes = []
+    # Specific mounts FIRST
+    a2a = get_a2a_app()
+    a2a.add_middleware(PATAuthMiddleware)
+    mcp = get_mcp_app()
+    mcp.add_middleware(PATAuthMiddleware)
+    routes.append(Mount("/a2a", app=a2a))
+    routes.append(Mount("/mcp", app=mcp))
 
-        def before_worker_exit(arbiter, worker):
-            """Latest version of gunicorn (23.0.0) calls 'join' for each child process before exiting. However this does
-            not work for processes created by ProcessPoolExecutor, because they execute forever. We need to explicitly
-            call 'shutdown' for such processes before exiting.
-            """
-            from mindsdb.integrations.libs.process_cache import process_cache
-            process_cache.shutdown(wait=True)
+    # Root app LAST so it won't shadow the others
+    routes.append(Mount("/", app=WSGIMiddleware(app)))
 
-        options = {
-            'bind': f'{host}:{port}',
-            'post_fork': post_fork,
-            'worker_exit': before_worker_exit,
-            **server_config
-        }
-        StandaloneApplication(app, options).run()
+    # Setting logging to None makes uvicorn use the existing logging configuration
+    uvicorn.run(Starlette(routes=routes, debug=verbose), host=host, port=int(port), log_level=None, log_config=None)

mindsdb/api/litellm/start.py

@@ -24,12 +24,12 @@ async def start_async(verbose=False):
     project_name = config.cmd_args.project or "mindsdb"
 
     # Get MCP server connection details
-    mcp_host = config.get('api', {}).get('mcp', {}).get('host', '127.0.0.1')
-    mcp_port = int(config.get('api', {}).get('mcp', {}).get('port', 47337))
+    mcp_host = "127.0.0.1"
+    mcp_port = int(config.get("api", {}).get("http", {}).get("port", 47334))
 
     # Get LiteLLM server settings
-    litellm_host = config.get('api', {}).get('litellm', {}).get('host', '0.0.0.0')
-    litellm_port = int(config.get('api', {}).get('litellm', {}).get('port', 8000))
+    litellm_host = config.get("api", {}).get("litellm", {}).get("host", "0.0.0.0")
+    litellm_port = int(config.get("api", {}).get("litellm", {}).get("port", 8000))
 
     logger.info(f"Starting LiteLLM server for agent '{agent_name}' in project '{project_name}'")
     logger.info(f"Connecting to MCP server at {mcp_host}:{mcp_port}")
@@ -41,7 +41,7 @@ async def start_async(verbose=False):
         mcp_host=mcp_host,
         mcp_port=mcp_port,
         host=litellm_host,
-        port=litellm_port
+        port=litellm_port,
     )
 
 
@@ -52,6 +52,7 @@ def start(verbose=False):
         verbose (bool): Whether to enable verbose logging
     """
     from mindsdb.interfaces.storage import db
+
     db.init()
 
     # Run the async function in the event loop
@@ -64,10 +65,10 @@ def start(verbose=False):
         config = Config()
         agent_name = config.cmd_args.agent
         project_name = config.cmd_args.project or "mindsdb"
-        mcp_host = config.get('api', {}).get('mcp', {}).get('host', '127.0.0.1')
-        mcp_port = int(config.get('api', {}).get('mcp', {}).get('port', 47337))
-        litellm_host = config.get('api', {}).get('litellm', {}).get('host', '0.0.0.0')
-        litellm_port = int(config.get('api', {}).get('litellm', {}).get('port', 8000))
+        mcp_host = config.get("api", {}).get("mcp", {}).get("host", "127.0.0.1")
+        mcp_port = int(config.get("api", {}).get("mcp", {}).get("port", 47337))
+        litellm_host = config.get("api", {}).get("litellm", {}).get("host", "0.0.0.0")
+        litellm_port = int(config.get("api", {}).get("litellm", {}).get("port", 8000))
 
         return run_server(
             agent_name=agent_name,
@@ -75,7 +76,7 @@ def start(verbose=False):
             mcp_host=mcp_host,
             mcp_port=mcp_port,
             host=litellm_host,
-            port=litellm_port
+            port=litellm_port,
         )
     else:
         logger.error("LiteLLM server initialization failed")