chainlit 1.0.401__py3-none-any.whl → 2.0.3__py3-none-any.whl

chainlit/server.py

@@ -1,24 +1,45 @@
+import asyncio
+import fnmatch
 import glob
 import json
 import mimetypes
+import os
 import re
 import shutil
 import urllib.parse
-from typing import Any, Optional, Union
-
-from chainlit.oauth_providers import get_oauth_provider
-from chainlit.secret import random_secret
-
-mimetypes.add_type("application/javascript", ".js")
-mimetypes.add_type("text/css", ".css")
-
-import asyncio
-import os
 import webbrowser
 from contextlib import asynccontextmanager
 from pathlib import Path
+from typing import List, Optional, Union, cast
+
+import socketio
+from fastapi import (
+    APIRouter,
+    Depends,
+    FastAPI,
+    Form,
+    HTTPException,
+    Query,
+    Request,
+    Response,
+    UploadFile,
+    status,
+)
+from fastapi.responses import FileResponse, HTMLResponse, JSONResponse, RedirectResponse
+from fastapi.security import OAuth2PasswordRequestForm
+from starlette.datastructures import URL
+from starlette.middleware.cors import CORSMiddleware
+from typing_extensions import Annotated
+from watchfiles import awatch
 
-from chainlit.auth import create_jwt, get_configuration, get_current_user
+from chainlit.auth import create_jwt, decode_jwt, get_configuration, get_current_user
+from chainlit.auth.cookie import (
+    clear_auth_cookie,
+    clear_oauth_state_cookie,
+    set_auth_cookie,
+    set_oauth_state_cookie,
+    validate_oauth_state_cookie,
+)
 from chainlit.config import (
     APP_ROOT,
     BACKEND_ROOT,
@@ -27,51 +48,48 @@ from chainlit.config import (
     PACKAGE_ROOT,
     config,
     load_module,
+    public_dir,
     reload_config,
 )
 from chainlit.data import get_data_layer
 from chainlit.data.acl import is_thread_author
 from chainlit.logger import logger
 from chainlit.markdown import get_markdown_str
-from chainlit.playground.config import get_llm_providers
-from chainlit.telemetry import trace_event
+from chainlit.oauth_providers import get_oauth_provider
+from chainlit.secret import random_secret
 from chainlit.types import (
+    CallActionRequest,
+    DeleteFeedbackRequest,
     DeleteThreadRequest,
-    GenerationRequest,
+    ElementRequest,
     GetThreadsRequest,
     Theme,
     UpdateFeedbackRequest,
+    UpdateThreadRequest,
 )
 from chainlit.user import PersistedUser, User
-from fastapi import (
-    Depends,
-    FastAPI,
-    HTTPException,
-    Query,
-    Request,
-    Response,
-    UploadFile,
-    status,
-)
-from fastapi.responses import FileResponse, HTMLResponse, JSONResponse, RedirectResponse
-from fastapi.security import OAuth2PasswordRequestForm
-from fastapi.staticfiles import StaticFiles
-from fastapi_socketio import SocketManager
-from starlette.datastructures import URL
-from starlette.middleware.cors import CORSMiddleware
-from typing_extensions import Annotated
-from watchfiles import awatch
+
+from ._utils import is_path_inside
+
+mimetypes.add_type("application/javascript", ".js")
+mimetypes.add_type("text/css", ".css")
+
+ROOT_PATH = os.environ.get("CHAINLIT_ROOT_PATH", "")
+IS_SUBMOUNT = os.environ.get("CHAINLIT_SUBMOUNT", "") == "true"
+# If the app is a submount, no need to set the prefix
+PREFIX = ROOT_PATH if ROOT_PATH and not IS_SUBMOUNT else ""
 
 
 @asynccontextmanager
 async def lifespan(app: FastAPI):
+    """Context manager to handle app start and shutdown."""
     host = config.run.host
     port = config.run.port
 
     if host == DEFAULT_HOST:
-        url = f"http://localhost:{port}"
+        url = f"http://localhost:{port}{ROOT_PATH}"
     else:
-        url = f"http://{host}:{port}"
+        url = f"http://{host}:{port}{ROOT_PATH}"
 
     logger.info(f"Your app is available at {url}")
 
@@ -112,22 +130,33 @@ async def lifespan(app: FastAPI):
                                 logger.error(f"Error reloading module: {e}")
 
                         await asyncio.sleep(1)
-                        await socket.emit("reload", {})
+                        await sio.emit("reload", {})
 
                         break
 
         watch_task = asyncio.create_task(watch_files_for_changes())
 
+    discord_task = None
+
+    if discord_bot_token := os.environ.get("DISCORD_BOT_TOKEN"):
+        from chainlit.discord.app import client
+
+        discord_task = asyncio.create_task(client.start(discord_bot_token))
+
     try:
         yield
     finally:
-        if watch_task:
-            try:
+        try:
+            if watch_task:
                 stop_event.set()
                 watch_task.cancel()
                 await watch_task
-            except asyncio.exceptions.CancelledError:
-                pass
+
+            if discord_task:
+                discord_task.cancel()
+                await discord_task
+        except asyncio.exceptions.CancelledError:
+            pass
 
         if FILES_DIRECTORY.is_dir():
             shutil.rmtree(FILES_DIRECTORY)
@@ -136,10 +165,26 @@ async def lifespan(app: FastAPI):
         os._exit(0)
 
 
-def get_build_dir(local_target: str, packaged_target: str):
+def get_build_dir(local_target: str, packaged_target: str) -> str:
+    """
+    Get the build directory based on the UI build strategy.
+
+    Args:
+        local_target (str): The local target directory.
+        packaged_target (str): The packaged target directory.
+
+    Returns:
+        str: The build directory
+    """
+
     local_build_dir = os.path.join(PACKAGE_ROOT, local_target, "dist")
     packaged_build_dir = os.path.join(BACKEND_ROOT, packaged_target, "dist")
-    if os.path.exists(local_build_dir):
+
+    if config.ui.custom_build and os.path.exists(
+        os.path.join(APP_ROOT, config.ui.custom_build)
+    ):
+        return os.path.join(APP_ROOT, config.ui.custom_build)
+    elif os.path.exists(local_build_dir):
         return local_build_dir
     elif os.path.exists(packaged_build_dir):
         return packaged_build_dir
@@ -150,28 +195,16 @@ def get_build_dir(local_target: str, packaged_target: str):
 build_dir = get_build_dir("frontend", "frontend")
 copilot_build_dir = get_build_dir(os.path.join("libs", "copilot"), "copilot")
 
-
 app = FastAPI(lifespan=lifespan)
 
-app.mount("/public", StaticFiles(directory="public", check_dir=False), name="public")
-app.mount(
-    "/assets",
-    StaticFiles(
-        packages=[("chainlit", os.path.join(build_dir, "assets"))],
-        follow_symlink=config.project.follow_symlink,
-    ),
-    name="assets",
-)
+sio = socketio.AsyncServer(cors_allowed_origins=[], async_mode="asgi")
 
-app.mount(
-    "/copilot",
-    StaticFiles(
-        packages=[("chainlit", copilot_build_dir)],
-        follow_symlink=config.project.follow_symlink,
-    ),
-    name="copilot",
+asgi_app = socketio.ASGIApp(
+    socketio_server=sio,
+    socketio_path="",
 )
 
+app.mount(f"{PREFIX}/ws/socket.io", asgi_app)
 
 app.add_middleware(
     CORSMiddleware,
@@ -181,11 +214,91 @@ app.add_middleware(
     allow_headers=["*"],
 )
 
-socket = SocketManager(
-    app,
-    cors_allowed_origins=[],
-    async_mode="asgi",
-)
+router = APIRouter(prefix=PREFIX)
+
+
+@router.get("/public/{filename:path}")
+async def serve_public_file(
+    filename: str,
+):
+    """Serve a file from public dir."""
+
+    base_path = Path(public_dir)
+    file_path = (base_path / filename).resolve()
+
+    if not is_path_inside(file_path, base_path):
+        raise HTTPException(status_code=400, detail="Invalid filename")
+
+    if file_path.is_file():
+        return FileResponse(file_path)
+    else:
+        raise HTTPException(status_code=404, detail="File not found")
+
+
+@router.get("/assets/{filename:path}")
+async def serve_asset_file(
+    filename: str,
+):
+    """Serve a file from assets dir."""
+
+    base_path = Path(os.path.join(build_dir, "assets"))
+    file_path = (base_path / filename).resolve()
+
+    if not is_path_inside(file_path, base_path):
+        raise HTTPException(status_code=400, detail="Invalid filename")
+
+    if file_path.is_file():
+        return FileResponse(file_path)
+    else:
+        raise HTTPException(status_code=404, detail="File not found")
+
+
+@router.get("/copilot/{filename:path}")
+async def serve_copilot_file(
+    filename: str,
+):
+    """Serve a file from assets dir."""
+
+    base_path = Path(copilot_build_dir)
+    file_path = (base_path / filename).resolve()
+
+    if not is_path_inside(file_path, base_path):
+        raise HTTPException(status_code=400, detail="Invalid filename")
+
+    if file_path.is_file():
+        return FileResponse(file_path)
+    else:
+        raise HTTPException(status_code=404, detail="File not found")
+
+
+# -------------------------------------------------------------------------------
+#                               SLACK HANDLER
+# -------------------------------------------------------------------------------
+
+if os.environ.get("SLACK_BOT_TOKEN") and os.environ.get("SLACK_SIGNING_SECRET"):
+    from chainlit.slack.app import slack_app_handler
+
+    @router.post("/slack/events")
+    async def slack_endpoint(req: Request):
+        return await slack_app_handler.handle(req)
+
+
+# -------------------------------------------------------------------------------
+#                               TEAMS HANDLER
+# -------------------------------------------------------------------------------
+
+if os.environ.get("TEAMS_APP_ID") and os.environ.get("TEAMS_APP_PASSWORD"):
+    from botbuilder.schema import Activity
+
+    from chainlit.teams.app import adapter, bot
+
+    @router.post("/teams/events")
+    async def teams_endpoint(req: Request):
+        body = await req.json()
+        activity = Activity().deserialize(body)
+        auth_header = req.headers.get("Authorization", "")
+        response = await adapter.process_activity(activity, auth_header, bot.on_turn)
+        return response
 
 
 # -------------------------------------------------------------------------------
@@ -193,28 +306,55 @@ socket = SocketManager(
 # -------------------------------------------------------------------------------
 
 
-def replace_between_tags(text: str, start_tag: str, end_tag: str, replacement: str):
+def replace_between_tags(
+    text: str, start_tag: str, end_tag: str, replacement: str
+) -> str:
+    """Replace text between two tags in a string."""
+
     pattern = start_tag + ".*?" + end_tag
     return re.sub(pattern, start_tag + replacement + end_tag, text, flags=re.DOTALL)
 
 
 def get_html_template():
+    """
+    Get HTML template for the index view.
+    """
+    ROOT_PATH = os.environ.get("CHAINLIT_ROOT_PATH", "")
+
+    custom_theme = None
+    custom_theme_file_path = Path(public_dir) / "theme.json"
+    if (
+        is_path_inside(custom_theme_file_path, Path(public_dir))
+        and custom_theme_file_path.is_file()
+    ):
+        custom_theme = json.loads(custom_theme_file_path.read_text(encoding="utf-8"))
+
     PLACEHOLDER = "<!-- TAG INJECTION PLACEHOLDER -->"
     JS_PLACEHOLDER = "<!-- JS INJECTION PLACEHOLDER -->"
     CSS_PLACEHOLDER = "<!-- CSS INJECTION PLACEHOLDER -->"
 
     default_url = "https://github.com/Chainlit/chainlit"
+    default_meta_image_url = (
+        "https://chainlit-cloud.s3.eu-west-3.amazonaws.com/logo/chainlit_banner.png"
+    )
     url = config.ui.github or default_url
+    meta_image_url = config.ui.custom_meta_image_url or default_meta_image_url
+    favicon_path = "/favicon"
 
     tags = f"""<title>{config.ui.name}</title>
+    <link rel="icon" href="{favicon_path}" />
     <meta name="description" content="{config.ui.description}">
     <meta property="og:type" content="website">
     <meta property="og:title" content="{config.ui.name}">
     <meta property="og:description" content="{config.ui.description}">
-    <meta property="og:image" content="https://chainlit-cloud.s3.eu-west-3.amazonaws.com/logo/chainlit_banner.png">
-    <meta property="og:url" content="{url}">"""
+    <meta property="og:image" content="{meta_image_url}">
+    <meta property="og:url" content="{url}">
+    <meta property="og:root_path" content="{ROOT_PATH}">"""
 
-    js = f"""<script>{f"window.theme = {json.dumps(config.ui.theme.to_dict())}; " if config.ui.theme else ""}</script>"""
+    js = f"""<script>
+{f"window.theme = {json.dumps(custom_theme.get('variables'))};" if custom_theme and custom_theme.get("variables") else "undefined"}
+{f"window.transports = {json.dumps(config.project.transports)};" if config.project.transports else "undefined"}
+</script>"""
 
     css = None
     if config.ui.custom_css:
@@ -226,12 +366,15 @@ def get_html_template():
         js += f"""<script src="{config.ui.custom_js}" defer></script>"""
 
     font = None
-    if config.ui.custom_font:
-        font = f"""<link rel="stylesheet" href="{config.ui.custom_font}">"""
+    if custom_theme and custom_theme.get("custom_fonts"):
+        font = "\n".join(
+            f"""<link rel="stylesheet" href="{font}">"""
+            for font in custom_theme.get("custom_fonts")
+        )
 
     index_html_file_path = os.path.join(build_dir, "index.html")
 
-    with open(index_html_file_path, "r", encoding="utf-8") as f:
+    with open(index_html_file_path, encoding="utf-8") as f:
         content = f.read()
         content = content.replace(PLACEHOLDER, tags)
         if js:
@@ -242,6 +385,9 @@ def get_html_template():
             content = replace_between_tags(
                 content, "<!-- FONT START -->", "<!-- FONT END -->", font
             )
+        if ROOT_PATH:
+            content = content.replace('href="/', f'href="{ROOT_PATH}/')
+            content = content.replace('src="/', f'src="{ROOT_PATH}/')
         return content
 
 
@@ -250,7 +396,6 @@ def get_user_facing_url(url: URL):
     Return the user facing URL for a given URL.
     Handles deployment with proxies (like cloud run).
     """
-
     chainlit_url = os.environ.get("CHAINLIT_URL")
 
     # No config, we keep the URL as is
@@ -269,49 +414,140 @@ def get_user_facing_url(url: URL):
     return config_url.__str__() + url.path
 
 
-@app.get("/auth/config")
+@router.get("/auth/config")
 async def auth(request: Request):
     return get_configuration()
 
 
-@app.post("/login")
-async def login(form_data: OAuth2PasswordRequestForm = Depends()):
-    if not config.code.password_auth_callback:
-        raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST, detail="No auth_callback defined"
+def _get_response_dict(access_token: str) -> dict:
+    """Get the response dictionary for the auth response."""
+
+    return {"success": True}
+
+
+def _get_auth_response(access_token: str, redirect_to_callback: bool) -> Response:
+    """Get the redirect params for the OAuth callback."""
+
+    response_dict = _get_response_dict(access_token)
+
+    if redirect_to_callback:
+        root_path = os.environ.get("CHAINLIT_ROOT_PATH", "")
+        redirect_url = (
+            f"{root_path}/login/callback?{urllib.parse.urlencode(response_dict)}"
         )
 
-    user = await config.code.password_auth_callback(
-        form_data.username, form_data.password
+        return RedirectResponse(
+            # FIXME: redirect to the right frontend base url to improve the dev environment
+            url=redirect_url,
+            status_code=302,
+        )
+
+    return JSONResponse(response_dict)
+
+
+def _get_oauth_redirect_error(error: str) -> Response:
+    """Get the redirect response for an OAuth error."""
+    params = urllib.parse.urlencode(
+        {
+            "error": error,
+        }
     )
+    response = RedirectResponse(
+        # FIXME: redirect to the right frontend base url to improve the dev environment
+        url=f"/login?{params}",  # Shouldn't there be {root_path} here?
+    )
+    return response
+
+
+async def _authenticate_user(
+    user: Optional[User], redirect_to_callback: bool = False
+) -> Response:
+    """Authenticate a user and return the response."""
 
     if not user:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail="credentialssignin",
         )
-    access_token = create_jwt(user)
+
+    # If a data layer is defined, attempt to persist user.
     if data_layer := get_data_layer():
         try:
             await data_layer.create_user(user)
         except Exception as e:
+            # Catch and log exceptions during user creation.
+            # TODO: Make this catch only specific errors and allow others to propagate.
             logger.error(f"Error creating user: {e}")
 
-    return {
-        "access_token": access_token,
-        "token_type": "bearer",
-    }
+    access_token = create_jwt(user)
+
+    response = _get_auth_response(access_token, redirect_to_callback)
+
+    set_auth_cookie(response, access_token)
+
+    return response
+
+
+@router.post("/login")
+async def login(response: Response, form_data: OAuth2PasswordRequestForm = Depends()):
+    """
+    Login a user using the password auth callback.
+    """
+    if not config.code.password_auth_callback:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST, detail="No auth_callback defined"
+        )
+
+    user = await config.code.password_auth_callback(
+        form_data.username, form_data.password
+    )
+
+    return await _authenticate_user(user)
 
 
-@app.post("/logout")
+@router.post("/logout")
 async def logout(request: Request, response: Response):
+    """Logout the user by calling the on_logout callback."""
+    clear_auth_cookie(response)
+
     if config.code.on_logout:
         return await config.code.on_logout(request, response)
+
     return {"success": True}
 
 
-@app.post("/auth/header")
+@router.post("/auth/jwt")
+async def jwt_auth(request: Request):
+    """Login a user using a valid jwt."""
+    from jwt import InvalidTokenError
+
+    auth_header: Optional[str] = request.headers.get("Authorization")
+    if not auth_header:
+        raise HTTPException(status_code=401, detail="Authorization header missing")
+
+    # Check if it starts with "Bearer "
+    try:
+        scheme, token = auth_header.split()
+        if scheme.lower() != "bearer":
+            raise HTTPException(
+                status_code=401,
+                detail="Invalid authentication scheme. Please use Bearer",
+            )
+    except ValueError:
+        raise HTTPException(
+            status_code=401, detail="Invalid authorization header format"
+        )
+
+    try:
+        user = decode_jwt(token)
+        return await _authenticate_user(user)
+    except InvalidTokenError:
+        raise HTTPException(status_code=401, detail="Invalid token")
+
+
+@router.post("/auth/header")
 async def header_auth(request: Request):
+    """Login a user using the header_auth_callback."""
     if not config.code.header_auth_callback:
         raise HTTPException(
             status_code=status.HTTP_400_BAD_REQUEST,
@@ -320,27 +556,12 @@ async def header_auth(request: Request):
 
     user = await config.code.header_auth_callback(request.headers)
 
-    if not user:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Unauthorized",
-        )
-
-    access_token = create_jwt(user)
-    if data_layer := get_data_layer():
-        try:
-            await data_layer.create_user(user)
-        except Exception as e:
-            logger.error(f"Error creating user: {e}")
-
-    return {
-        "access_token": access_token,
-        "token_type": "bearer",
-    }
+    return await _authenticate_user(user)
 
 
-@app.get("/auth/oauth/{provider_id}")
+@router.get("/auth/oauth/{provider_id}")
 async def oauth_login(provider_id: str, request: Request):
+    """Redirect the user to the oauth provider login page."""
     if config.code.oauth_callback is None:
         raise HTTPException(
             status_code=status.HTTP_400_BAD_REQUEST,
@@ -367,20 +588,13 @@ async def oauth_login(provider_id: str, request: Request):
     response = RedirectResponse(
         url=f"{provider.authorize_url}?{params}",
     )
-    samesite = os.environ.get("CHAINLIT_COOKIE_SAMESITE", "lax")  # type: Any
-    secure = samesite.lower() == "none"
-    response.set_cookie(
-        "oauth_state",
-        random,
-        httponly=True,
-        samesite=samesite,
-        secure=secure,
-        max_age=3 * 60,
-    )
+
+    set_oauth_state_cookie(response, random)
+
     return response
 
 
-@app.get("/auth/oauth/{provider_id}/callback")
+@router.get("/auth/oauth/{provider_id}/callback")
 async def oauth_callback(
     provider_id: str,
     request: Request,
@@ -388,6 +602,8 @@ async def oauth_callback(
     code: Optional[str] = None,
     state: Optional[str] = None,
 ):
+    """Handle the oauth callback and login the user."""
+
     if config.code.oauth_callback is None:
         raise HTTPException(
             status_code=status.HTTP_400_BAD_REQUEST,
@@ -402,16 +618,7 @@ async def oauth_callback(
         )
 
     if error:
-        params = urllib.parse.urlencode(
-            {
-                "error": error,
-            }
-        )
-        response = RedirectResponse(
-            # FIXME: redirect to the right frontend base url to improve the dev environment
-            url=f"/login?{params}",
-        )
-        return response
+        return _get_oauth_redirect_error(error)
 
     if not code or not state:
         raise HTTPException(
@@ -419,9 +626,11 @@ async def oauth_callback(
             detail="Missing code or state",
         )
 
-    # Check the state from the oauth provider against the browser cookie
-    oauth_state = request.cookies.get("oauth_state")
-    if oauth_state != state:
+    try:
+        validate_oauth_state_cookie(request, state)
+    except Exception as e:
+        logger.exception("Unable to validate oauth state: %1", e)
+
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail="Unauthorized",
@@ -436,83 +645,128 @@ async def oauth_callback(
         provider_id, token, raw_user_data, default_user
     )
 
-    if not user:
-        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
-            detail="Unauthorized",
-        )
+    response = await _authenticate_user(user, redirect_to_callback=True)
 
-    access_token = create_jwt(user)
-
-    if data_layer := get_data_layer():
-        try:
-            await data_layer.create_user(user)
-        except Exception as e:
-            logger.error(f"Error creating user: {e}")
+    clear_oauth_state_cookie(response)
 
-    params = urllib.parse.urlencode(
-        {
-            "access_token": access_token,
-            "token_type": "bearer",
-        }
-    )
-    response = RedirectResponse(
-        # FIXME: redirect to the right frontend base url to improve the dev environment
-        url=f"/login/callback?{params}",
-    )
-    response.delete_cookie("oauth_state")
     return response
 
 
-@app.post("/generation")
-async def generation(
-    request: GenerationRequest,
-    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
+# specific route for azure ad hybrid flow
+@router.post("/auth/oauth/azure-ad-hybrid/callback")
+async def oauth_azure_hf_callback(
+    request: Request,
+    error: Optional[str] = None,
+    code: Annotated[Optional[str], Form()] = None,
+    id_token: Annotated[Optional[str], Form()] = None,
 ):
-    """Handle a completion request from the prompt playground."""
+    """Handle the azure ad hybrid flow callback and login the user."""
 
-    providers = get_llm_providers()
+    provider_id = "azure-ad-hybrid"
+    if config.code.oauth_callback is None:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="No oauth_callback defined",
+        )
 
-    try:
-        provider = [p for p in providers if p.id == request.generation.provider][0]
-    except IndexError:
+    provider = get_oauth_provider(provider_id)
+    if not provider:
         raise HTTPException(
-            status_code=404,
-            detail=f"LLM provider '{request.generation.provider}' not found",
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"Provider {provider_id} not found",
         )
 
-    trace_event("pp_create_completion")
-    response = await provider.create_completion(request)
+    if error:
+        return _get_oauth_redirect_error(error)
+
+    if not code:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Missing code",
+        )
+
+    url = get_user_facing_url(request.url)
+    token = await provider.get_token(code, url)
+
+    (raw_user_data, default_user) = await provider.get_user_info(token)
+
+    user = await config.code.oauth_callback(
+        provider_id, token, raw_user_data, default_user, id_token
+    )
+
+    response = await _authenticate_user(user, redirect_to_callback=True)
+
+    clear_oauth_state_cookie(response)
 
     return response
 
 
-@app.get("/project/llm-providers")
-async def get_providers(
-    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)]
+GenericUser = Union[User, PersistedUser, None]
+UserParam = Annotated[GenericUser, Depends(get_current_user)]
+
+
+@router.get("/user")
+async def get_user(current_user: UserParam) -> GenericUser:
+    return current_user
+
+
+_language_pattern = (
+    "^[a-zA-Z]{2,3}(-[a-zA-Z0-9]{2,3})?(-[a-zA-Z0-9]{2,8})?(-x-[a-zA-Z0-9]{1,8})?$"
+)
+
+
+@router.get("/project/translations")
+async def project_translations(
+    language: str = Query(
+        default="en-US", description="Language code", pattern=_language_pattern
+    ),
 ):
-    """List the providers."""
-    trace_event("pp_get_llm_providers")
-    providers = get_llm_providers()
-    providers = [p.to_dict() for p in providers]
-    return JSONResponse(content={"providers": providers})
+    """Return project translations."""
+
+    # Load translation based on the provided language
+    translation = config.load_translation(language)
+
+    return JSONResponse(
+        content={
+            "translation": translation,
+        }
+    )
 
 
-@app.get("/project/settings")
+@router.get("/project/settings")
 async def project_settings(
-    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
-    language: str = Query(default="en-US", description="Language code"),
+    current_user: UserParam,
+    language: str = Query(
+        default="en-US", description="Language code", pattern=_language_pattern
+    ),
 ):
     """Return project settings. This is called by the UI before the establishing the websocket connection."""
 
-    # Load translation based on the provided language
-    translation = config.load_translation(language)
+    # Load the markdown file based on the provided language
+
+    markdown = get_markdown_str(config.root, language)
 
     profiles = []
     if config.code.set_chat_profiles:
         chat_profiles = await config.code.set_chat_profiles(current_user)
         if chat_profiles:
             profiles = [p.to_dict() for p in chat_profiles]
+
+    starters = []
+    if config.code.set_starters:
+        starters = await config.code.set_starters(current_user)
+        if starters:
+            starters = [s.to_dict() for s in starters]
+
+    if config.code.on_audio_chunk:
+        config.features.audio.enabled = True
+
+    debug_url = None
+    data_layer = get_data_layer()
+
+    if data_layer and config.run.debug:
+        debug_url = await data_layer.build_debug_url()
+
     return JSONResponse(
         content={
             "ui": config.ui.to_dict(),
@@ -520,18 +774,19 @@ async def project_settings(
             "userEnv": config.project.user_env,
             "dataPersistence": get_data_layer() is not None,
             "threadResumable": bool(config.code.on_chat_resume),
-            "markdown": get_markdown_str(config.root),
+            "markdown": markdown,
             "chatProfiles": profiles,
-            "translation": translation,
+            "starters": starters,
+            "debugUrl": debug_url,
         }
     )
 
 
-@app.put("/feedback")
+@router.put("/feedback")
 async def update_feedback(
     request: Request,
     update: UpdateFeedbackRequest,
-    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
+    current_user: UserParam,
 ):
     """Update the human feedback for a particular message."""
     data_layer = get_data_layer()
@@ -541,36 +796,63 @@ async def update_feedback(
     try:
         feedback_id = await data_layer.upsert_feedback(feedback=update.feedback)
     except Exception as e:
-        raise HTTPException(detail=str(e), status_code=500)
+        raise HTTPException(detail=str(e), status_code=500) from e
 
     return JSONResponse(content={"success": True, "feedbackId": feedback_id})
 
 
-@app.post("/project/threads")
+@router.delete("/feedback")
+async def delete_feedback(
+    request: Request,
+    payload: DeleteFeedbackRequest,
+    current_user: UserParam,
+):
+    """Delete a feedback."""
+
+    data_layer = get_data_layer()
+
+    if not data_layer:
+        raise HTTPException(status_code=400, detail="Data persistence is not enabled")
+
+    feedback_id = payload.feedbackId
+
+    await data_layer.delete_feedback(feedback_id)
+    return JSONResponse(content={"success": True})
+
+
+@router.post("/project/threads")
 async def get_user_threads(
     request: Request,
     payload: GetThreadsRequest,
-    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
+    current_user: UserParam,
 ):
     """Get the threads page by page."""
-    # Only show the current user threads
 
     data_layer = get_data_layer()
 
     if not data_layer:
         raise HTTPException(status_code=400, detail="Data persistence is not enabled")
 
-    payload.filter.userIdentifier = current_user.identifier
+    if not current_user:
+        raise HTTPException(status_code=401, detail="Unauthorized")
+
+    if not isinstance(current_user, PersistedUser):
+        persisted_user = await data_layer.get_user(identifier=current_user.identifier)
+        if not persisted_user:
+            raise HTTPException(status_code=404, detail="User not found")
+        payload.filter.userId = persisted_user.id
+    else:
+        payload.filter.userId = current_user.id
 
     res = await data_layer.list_threads(payload.pagination, payload.filter)
     return JSONResponse(content=res.to_dict())
 
 
-@app.get("/project/thread/{thread_id}")
+@router.get("/project/thread/{thread_id}")
 async def get_thread(
     request: Request,
     thread_id: str,
-    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
+    current_user: UserParam,
 ):
     """Get a specific thread."""
     data_layer = get_data_layer()
@@ -578,18 +860,21 @@ async def get_thread(
     if not data_layer:
         raise HTTPException(status_code=400, detail="Data persistence is not enabled")
 
+    if not current_user:
+        raise HTTPException(status_code=401, detail="Unauthorized")
+
     await is_thread_author(current_user.identifier, thread_id)
 
     res = await data_layer.get_thread(thread_id)
     return JSONResponse(content=res)
 
 
-@app.get("/project/thread/{thread_id}/element/{element_id}")
+@router.get("/project/thread/{thread_id}/element/{element_id}")
 async def get_thread_element(
     request: Request,
     thread_id: str,
     element_id: str,
-    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
+    current_user: UserParam,
 ):
     """Get a specific thread element."""
     data_layer = get_data_layer()
@@ -597,17 +882,135 @@ async def get_thread_element(
     if not data_layer:
         raise HTTPException(status_code=400, detail="Data persistence is not enabled")
 
+    if not current_user:
+        raise HTTPException(status_code=401, detail="Unauthorized")
+
     await is_thread_author(current_user.identifier, thread_id)
 
     res = await data_layer.get_element(thread_id, element_id)
     return JSONResponse(content=res)
 
 
-@app.delete("/project/thread")
+@router.put("/project/element")
+async def update_thread_element(
+    payload: ElementRequest,
+    current_user: UserParam,
+):
+    """Update a specific thread element."""
+
+    from chainlit.context import init_ws_context
+    from chainlit.element import CustomElement, ElementDict
+    from chainlit.session import WebsocketSession
+
+    session = WebsocketSession.get_by_id(payload.sessionId)
+    context = init_ws_context(session)
+
+    element_dict = cast(ElementDict, payload.element)
+
+    if element_dict["type"] != "custom":
+        return {"success": False}
+
+    element = CustomElement(
+        id=element_dict["id"],
+        object_key=element_dict["objectKey"],
+        chainlit_key=element_dict["chainlitKey"],
+        url=element_dict["url"],
+        for_id=element_dict.get("forId") or "",
+        thread_id=element_dict.get("threadId") or "",
+        name=element_dict["name"],
+        props=element_dict.get("props") or {},
+        display=element_dict["display"],
+    )
+
+    if current_user:
+        if (
+            not context.session.user
+            or context.session.user.identifier != current_user.identifier
+        ):
+            raise HTTPException(
+                status_code=401,
+                detail="You are not authorized to update elements for this session",
+            )
+
+    await element.update()
+    return {"success": True}
+
+
+@router.delete("/project/element")
+async def delete_thread_element(
+    payload: ElementRequest,
+    current_user: UserParam,
+):
+    """Delete a specific thread element."""
+
+    from chainlit.context import init_ws_context
+    from chainlit.element import CustomElement, ElementDict
+    from chainlit.session import WebsocketSession
+
+    session = WebsocketSession.get_by_id(payload.sessionId)
+    context = init_ws_context(session)
+
+    element_dict = cast(ElementDict, payload.element)
+
+    if element_dict["type"] != "custom":
+        return {"success": False}
+
+    element = CustomElement(
+        id=element_dict["id"],
+        object_key=element_dict["objectKey"],
+        chainlit_key=element_dict["chainlitKey"],
+        url=element_dict["url"],
+        for_id=element_dict.get("forId") or "",
+        thread_id=element_dict.get("threadId") or "",
+        name=element_dict["name"],
+        props=element_dict.get("props") or {},
+        display=element_dict["display"],
+    )
+
+    if current_user:
+        if (
+            not context.session.user
+            or context.session.user.identifier != current_user.identifier
+        ):
+            raise HTTPException(
+                status_code=401,
+                detail="You are not authorized to remove elements for this session",
+            )
+
+    await element.remove()
+
+    return {"success": True}
+
+
+@router.put("/project/thread")
+async def rename_thread(
+    request: Request,
+    payload: UpdateThreadRequest,
+    current_user: UserParam,
+):
+    """Rename a thread."""
+
+    data_layer = get_data_layer()
+
+    if not data_layer:
+        raise HTTPException(status_code=400, detail="Data persistence is not enabled")
+
+    if not current_user:
+        raise HTTPException(status_code=401, detail="Unauthorized")
+
+    thread_id = payload.threadId
+
+    await is_thread_author(current_user.identifier, thread_id)
+
+    await data_layer.update_thread(thread_id, name=payload.name)
+    return JSONResponse(content={"success": True})
+
+
+@router.delete("/project/thread")
 async def delete_thread(
     request: Request,
     payload: DeleteThreadRequest,
-    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
+    current_user: UserParam,
 ):
     """Delete a thread."""
 
@@ -616,6 +1019,9 @@ async def delete_thread(
     if not data_layer:
         raise HTTPException(status_code=400, detail="Data persistence is not enabled")
 
+    if not current_user:
+        raise HTTPException(status_code=401, detail="Unauthorized")
+
     thread_id = payload.threadId
 
     await is_thread_author(current_user.identifier, thread_id)
@@ -624,14 +1030,56 @@ async def delete_thread(
     return JSONResponse(content={"success": True})
 
 
-@app.post("/project/file")
+@router.post("/project/action")
+async def call_action(
+    payload: CallActionRequest,
+    current_user: UserParam,
+):
+    """Run an action."""
+
+    from chainlit.action import Action
+    from chainlit.context import init_ws_context
+    from chainlit.session import WebsocketSession
+
+    session = WebsocketSession.get_by_id(payload.sessionId)
+    context = init_ws_context(session)
+
+    action = Action(**payload.action)
+
+    if current_user:
+        if (
+            not context.session.user
+            or context.session.user.identifier != current_user.identifier
+        ):
+            raise HTTPException(
+                status_code=401,
+                detail="You are not authorized to upload files for this session",
+            )
+
+    callback = config.code.action_callbacks.get(action.name)
+    if callback:
+        if not context.session.has_first_interaction:
+            context.session.has_first_interaction = True
+            asyncio.create_task(context.emitter.init_thread(action.name))
+
+        await callback(action)
+    else:
+        raise HTTPException(
+            status_code=404,
+            detail=f"No callback found for action {action.name}",
+        )
+
+    return JSONResponse(content={"success": True})
+
+
+@router.post("/project/file")
 async def upload_file(
+    current_user: UserParam,
     session_id: str,
     file: UploadFile,
-    current_user: Annotated[
-        Union[None, User, PersistedUser], Depends(get_current_user)
-    ],
 ):
+    """Upload a file to the session files directory."""
+
     from chainlit.session import WebsocketSession
 
     session = WebsocketSession.get_by_id(session_id)
@@ -653,28 +1101,122 @@ async def upload_file(
 
     content = await file.read()
 
+    assert file.filename, "No filename for uploaded file"
+    assert file.content_type, "No content type for uploaded file"
+
+    try:
+        validate_file_upload(file)
+    except ValueError as e:
+        raise HTTPException(status_code=400, detail=str(e))
+
     file_response = await session.persist_file(
         name=file.filename, content=content, mime=file.content_type
     )
 
-    return JSONResponse(file_response)
+    return JSONResponse(content=file_response)
+
+
+def validate_file_upload(file: UploadFile):
+    """Validate the file upload as configured in config.features.spontaneous_file_upload.
+    Args:
+        file (UploadFile): The file to validate.
+    Raises:
+        ValueError: If the file is not allowed.
+    """
+    # TODO: This logic/endpoint is shared across spontaneous uploads and the AskFileMessage API.
+    # Commenting this check until we find a better solution
+
+    # if config.features.spontaneous_file_upload is None:
+    #     """Default for a missing config is to allow the fileupload without any restrictions"""
+    #     return
+    # if not config.features.spontaneous_file_upload.enabled:
+    #     raise ValueError("File upload is not enabled")
+
+    validate_file_mime_type(file)
+    validate_file_size(file)
+
 
+def validate_file_mime_type(file: UploadFile):
+    """Validate the file mime type as configured in config.features.spontaneous_file_upload.
+    Args:
+        file (UploadFile): The file to validate.
+    Raises:
+        ValueError: If the file type is not allowed.
+    """
+
+    if (
+        config.features.spontaneous_file_upload is None
+        or config.features.spontaneous_file_upload.accept is None
+    ):
+        "Accept is not configured, allowing all file types"
+        return
+
+    accept = config.features.spontaneous_file_upload.accept
+
+    assert isinstance(accept, List) or isinstance(accept, dict), (
+        "Invalid configuration for spontaneous_file_upload, accept must be a list or a dict"
+    )
+
+    if isinstance(accept, List):
+        for pattern in accept:
+            if fnmatch.fnmatch(file.content_type, pattern):
+                return
+    elif isinstance(accept, dict):
+        for pattern, extensions in accept.items():
+            if fnmatch.fnmatch(file.content_type, pattern):
+                if len(extensions) == 0:
+                    return
+                for extension in extensions:
+                    if file.filename is not None and file.filename.endswith(extension):
+                        return
+    raise ValueError("File type not allowed")
+
+
+def validate_file_size(file: UploadFile):
+    """Validate the file size as configured in config.features.spontaneous_file_upload.
+    Args:
+        file (UploadFile): The file to validate.
+    Raises:
+        ValueError: If the file size is too large.
+    """
+    if (
+        config.features.spontaneous_file_upload is None
+        or config.features.spontaneous_file_upload.max_size_mb is None
+    ):
+        return
 
-@app.get("/project/file/{file_id}")
+    if (
+        file.size is not None
+        and file.size
+        > config.features.spontaneous_file_upload.max_size_mb * 1024 * 1024
+    ):
+        raise ValueError("File size too large")
+
+
+@router.get("/project/file/{file_id}")
 async def get_file(
     file_id: str,
-    session_id: Optional[str] = None,
+    session_id: str,
+    current_user: UserParam,
 ):
+    """Get a file from the session files directory."""
     from chainlit.session import WebsocketSession
 
     session = WebsocketSession.get_by_id(session_id) if session_id else None
 
     if not session:
         raise HTTPException(
-            status_code=404,
-            detail="Session not found",
+            status_code=401,
+            detail="Unauthorized",
         )
 
+    if current_user:
+        if not session.user or session.user.identifier != current_user.identifier:
+            raise HTTPException(
+                status_code=401,
+                detail="You are not authorized to download files from this session",
+            )
+
     if file_id in session.files:
         file = session.files[file_id]
         return FileResponse(file["path"], media_type=file["type"])
@@ -682,26 +1224,9 @@ async def get_file(
         raise HTTPException(status_code=404, detail="File not found")
 
 
-@app.get("/files/{filename:path}")
-async def serve_file(
-    filename: str,
-    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
-):
-    base_path = Path(config.project.local_fs_path).resolve()
-    file_path = (base_path / filename).resolve()
-
-    # Check if the base path is a parent of the file path
-    if base_path not in file_path.parents:
-        raise HTTPException(status_code=400, detail="Invalid filename")
-
-    if file_path.is_file():
-        return FileResponse(file_path)
-    else:
-        raise HTTPException(status_code=404, detail="File not found")
-
-
-@app.get("/favicon")
+@router.get("/favicon")
 async def get_favicon():
+    """Get the favicon for the UI."""
     custom_favicon_path = os.path.join(APP_ROOT, "public", "favicon.*")
     files = glob.glob(custom_favicon_path)
 
@@ -715,8 +1240,9 @@ async def get_favicon():
     return FileResponse(favicon_path, media_type=media_type)
 
 
-@app.get("/logo")
+@router.get("/logo")
 async def get_logo(theme: Optional[Theme] = Query(Theme.light)):
+    """Get the default logo for the UI."""
     theme_value = theme.value if theme else Theme.light.value
     logo_path = None
 
@@ -732,19 +1258,54 @@ async def get_logo(theme: Optional[Theme] = Query(Theme.light)):
 
     if not logo_path:
         raise HTTPException(status_code=404, detail="Missing default logo")
+
     media_type, _ = mimetypes.guess_type(logo_path)
 
     return FileResponse(logo_path, media_type=media_type)
 
 
-def register_wildcard_route_handler():
-    @app.get("/{path:path}")
-    async def serve(request: Request, path: str):
-        html_template = get_html_template()
-        """Serve the UI files."""
-        response = HTMLResponse(content=html_template, status_code=200)
+@router.get("/avatars/{avatar_id:str}")
+async def get_avatar(avatar_id: str):
+    """Get the avatar for the user based on the avatar_id."""
+    if not re.match(r"^[a-zA-Z0-9_ -]+$", avatar_id):
+        raise HTTPException(status_code=400, detail="Invalid avatar_id")
+
+    if avatar_id == "default":
+        avatar_id = config.ui.name
+
+    avatar_id = avatar_id.strip().lower().replace(" ", "_")
+
+    base_path = Path(APP_ROOT) / "public" / "avatars"
+    avatar_pattern = f"{avatar_id}.*"
+
+    matching_files = base_path.glob(avatar_pattern)
+
+    if avatar_path := next(matching_files, None):
+        if not is_path_inside(avatar_path, base_path):
+            raise HTTPException(status_code=400, detail="Invalid filename")
+
+        media_type, _ = mimetypes.guess_type(str(avatar_path))
+
+        return FileResponse(avatar_path, media_type=media_type)
+
+    return await get_favicon()
+
+
+@router.head("/")
+def status_check():
+    """Check if the site is operational."""
+    return {"message": "Site is operational"}
+
+
+@router.get("/{full_path:path}")
+async def serve():
+    html_template = get_html_template()
+    """Serve the UI files."""
+    response = HTMLResponse(content=html_template, status_code=200)
+
+    return response
 
-        return response
 
+app.include_router(router)
 
 import chainlit.socket  # noqa