chainlit 2.0.0__py3-none-any.whl → 2.0.dev1__py3-none-any.whl

chainlit/server.py

@@ -1,5 +1,4 @@
 import asyncio
-import fnmatch
 import glob
 import json
 import mimetypes
@@ -10,36 +9,10 @@ import urllib.parse
 import webbrowser
 from contextlib import asynccontextmanager
 from pathlib import Path
-from typing import List, Optional, Union, cast
+from typing import Any, Optional, Union
 
 import socketio
-from fastapi import (
-    APIRouter,
-    Depends,
-    FastAPI,
-    Form,
-    HTTPException,
-    Query,
-    Request,
-    Response,
-    UploadFile,
-    status,
-)
-from fastapi.responses import FileResponse, HTMLResponse, JSONResponse, RedirectResponse
-from fastapi.security import OAuth2PasswordRequestForm
-from starlette.datastructures import URL
-from starlette.middleware.cors import CORSMiddleware
-from typing_extensions import Annotated
-from watchfiles import awatch
-
-from chainlit.auth import create_jwt, decode_jwt, get_configuration, get_current_user
-from chainlit.auth.cookie import (
-    clear_auth_cookie,
-    clear_oauth_state_cookie,
-    set_auth_cookie,
-    set_oauth_state_cookie,
-    validate_oauth_state_cookie,
-)
+from chainlit.auth import create_jwt, get_configuration, get_current_user
 from chainlit.config import (
     APP_ROOT,
     BACKEND_ROOT,
@@ -48,7 +21,6 @@ from chainlit.config import (
     PACKAGE_ROOT,
     config,
     load_module,
-    public_dir,
     reload_config,
 )
 from chainlit.data import get_data_layer
@@ -58,16 +30,33 @@ from chainlit.markdown import get_markdown_str
 from chainlit.oauth_providers import get_oauth_provider
 from chainlit.secret import random_secret
 from chainlit.types import (
-    CallActionRequest,
     DeleteFeedbackRequest,
     DeleteThreadRequest,
-    ElementRequest,
     GetThreadsRequest,
     Theme,
     UpdateFeedbackRequest,
-    UpdateThreadRequest,
 )
 from chainlit.user import PersistedUser, User
+from fastapi import (
+    APIRouter,
+    Depends,
+    FastAPI,
+    File,
+    Form,
+    HTTPException,
+    Query,
+    Request,
+    Response,
+    UploadFile,
+    status,
+)
+from fastapi.responses import FileResponse, HTMLResponse, JSONResponse, RedirectResponse
+from fastapi.security import OAuth2PasswordRequestForm
+from fastapi.staticfiles import StaticFiles
+from starlette.datastructures import URL
+from starlette.middleware.cors import CORSMiddleware
+from typing_extensions import Annotated
+from watchfiles import awatch
 
 from ._utils import is_path_inside
 
@@ -216,59 +205,29 @@ app.add_middleware(
 
 router = APIRouter(prefix=PREFIX)
 
+app.mount(
+    f"{PREFIX}/public",
+    StaticFiles(directory="public", check_dir=False),
+    name="public",
+)
 
-@router.get("/public/{filename:path}")
-async def serve_public_file(
-    filename: str,
-):
-    """Serve a file from public dir."""
-
-    base_path = Path(public_dir)
-    file_path = (base_path / filename).resolve()
-
-    if not is_path_inside(file_path, base_path):
-        raise HTTPException(status_code=400, detail="Invalid filename")
-
-    if file_path.is_file():
-        return FileResponse(file_path)
-    else:
-        raise HTTPException(status_code=404, detail="File not found")
-
-
-@router.get("/assets/{filename:path}")
-async def serve_asset_file(
-    filename: str,
-):
-    """Serve a file from assets dir."""
-
-    base_path = Path(os.path.join(build_dir, "assets"))
-    file_path = (base_path / filename).resolve()
-
-    if not is_path_inside(file_path, base_path):
-        raise HTTPException(status_code=400, detail="Invalid filename")
-
-    if file_path.is_file():
-        return FileResponse(file_path)
-    else:
-        raise HTTPException(status_code=404, detail="File not found")
-
-
-@router.get("/copilot/{filename:path}")
-async def serve_copilot_file(
-    filename: str,
-):
-    """Serve a file from assets dir."""
-
-    base_path = Path(copilot_build_dir)
-    file_path = (base_path / filename).resolve()
-
-    if not is_path_inside(file_path, base_path):
-        raise HTTPException(status_code=400, detail="Invalid filename")
+app.mount(
+    f"{PREFIX}/assets",
+    StaticFiles(
+        packages=[("chainlit", os.path.join(build_dir, "assets"))],
+        follow_symlink=config.project.follow_symlink,
+    ),
+    name="assets",
+)
 
-    if file_path.is_file():
-        return FileResponse(file_path)
-    else:
-        raise HTTPException(status_code=404, detail="File not found")
+app.mount(
+    f"{PREFIX}/copilot",
+    StaticFiles(
+        packages=[("chainlit", copilot_build_dir)],
+        follow_symlink=config.project.follow_symlink,
+    ),
+    name="copilot",
+)
 
 
 # -------------------------------------------------------------------------------
@@ -289,7 +248,6 @@ if os.environ.get("SLACK_BOT_TOKEN") and os.environ.get("SLACK_SIGNING_SECRET"):
 
 if os.environ.get("TEAMS_APP_ID") and os.environ.get("TEAMS_APP_PASSWORD"):
     from botbuilder.schema import Activity
-
     from chainlit.teams.app import adapter, bot
 
     @router.post("/teams/events")
@@ -319,16 +277,6 @@ def get_html_template():
     """
     Get HTML template for the index view.
     """
-    ROOT_PATH = os.environ.get("CHAINLIT_ROOT_PATH", "")
-
-    custom_theme = None
-    custom_theme_file_path = Path(public_dir) / "theme.json"
-    if (
-        is_path_inside(custom_theme_file_path, Path(public_dir))
-        and custom_theme_file_path.is_file()
-    ):
-        custom_theme = json.loads(custom_theme_file_path.read_text(encoding="utf-8"))
-
     PLACEHOLDER = "<!-- TAG INJECTION PLACEHOLDER -->"
     JS_PLACEHOLDER = "<!-- JS INJECTION PLACEHOLDER -->"
     CSS_PLACEHOLDER = "<!-- CSS INJECTION PLACEHOLDER -->"
@@ -351,10 +299,7 @@ def get_html_template():
     <meta property="og:url" content="{url}">
     <meta property="og:root_path" content="{ROOT_PATH}">"""
 
-    js = f"""<script>
-{f"window.theme = {json.dumps(custom_theme.get('variables'))};" if custom_theme and custom_theme.get("variables") else "undefined"}
-{f"window.transports = {json.dumps(config.project.transports)};" if config.project.transports else "undefined"}
-</script>"""
+    js = f"""<script>{f"window.theme = {json.dumps(config.ui.theme.to_dict())}; " if config.ui.theme else ""}</script>"""
 
     css = None
     if config.ui.custom_css:
@@ -366,15 +311,12 @@ def get_html_template():
         js += f"""<script src="{config.ui.custom_js}" defer></script>"""
 
     font = None
-    if custom_theme and custom_theme.get("custom_fonts"):
-        font = "\n".join(
-            f"""<link rel="stylesheet" href="{font}">"""
-            for font in custom_theme.get("custom_fonts")
-        )
+    if config.ui.custom_font:
+        font = f"""<link rel="stylesheet" href="{config.ui.custom_font}">"""
 
     index_html_file_path = os.path.join(build_dir, "index.html")
 
-    with open(index_html_file_path, encoding="utf-8") as f:
+    with open(index_html_file_path, "r", encoding="utf-8") as f:
         content = f.read()
         content = content.replace(PLACEHOLDER, tags)
         if js:
@@ -419,132 +361,46 @@ async def auth(request: Request):
     return get_configuration()
 
 
-def _get_response_dict(access_token: str) -> dict:
-    """Get the response dictionary for the auth response."""
-
-    return {"success": True}
-
-
-def _get_auth_response(access_token: str, redirect_to_callback: bool) -> Response:
-    """Get the redirect params for the OAuth callback."""
-
-    response_dict = _get_response_dict(access_token)
-
-    if redirect_to_callback:
-        root_path = os.environ.get("CHAINLIT_ROOT_PATH", "")
-        redirect_url = (
-            f"{root_path}/login/callback?{urllib.parse.urlencode(response_dict)}"
-        )
-
-        return RedirectResponse(
-            # FIXME: redirect to the right frontend base url to improve the dev environment
-            url=redirect_url,
-            status_code=302,
+@router.post("/login")
+async def login(form_data: OAuth2PasswordRequestForm = Depends()):
+    """
+    Login a user using the password auth callback.
+    """
+    if not config.code.password_auth_callback:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST, detail="No auth_callback defined"
         )
 
-    return JSONResponse(response_dict)
-
-
-def _get_oauth_redirect_error(error: str) -> Response:
-    """Get the redirect response for an OAuth error."""
-    params = urllib.parse.urlencode(
-        {
-            "error": error,
-        }
-    )
-    response = RedirectResponse(
-        # FIXME: redirect to the right frontend base url to improve the dev environment
-        url=f"/login?{params}",  # Shouldn't there be {root_path} here?
+    user = await config.code.password_auth_callback(
+        form_data.username, form_data.password
     )
-    return response
-
-
-async def _authenticate_user(
-    user: Optional[User], redirect_to_callback: bool = False
-) -> Response:
-    """Authenticate a user and return the response."""
 
     if not user:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail="credentialssignin",
         )
-
-    # If a data layer is defined, attempt to persist user.
+    access_token = create_jwt(user)
     if data_layer := get_data_layer():
         try:
             await data_layer.create_user(user)
         except Exception as e:
-            # Catch and log exceptions during user creation.
-            # TODO: Make this catch only specific errors and allow others to propagate.
             logger.error(f"Error creating user: {e}")
 
-    access_token = create_jwt(user)
-
-    response = _get_auth_response(access_token, redirect_to_callback)
-
-    set_auth_cookie(response, access_token)
-
-    return response
-
-
-@router.post("/login")
-async def login(response: Response, form_data: OAuth2PasswordRequestForm = Depends()):
-    """
-    Login a user using the password auth callback.
-    """
-    if not config.code.password_auth_callback:
-        raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST, detail="No auth_callback defined"
-        )
-
-    user = await config.code.password_auth_callback(
-        form_data.username, form_data.password
-    )
-
-    return await _authenticate_user(user)
+    return {
+        "access_token": access_token,
+        "token_type": "bearer",
+    }
 
 
 @router.post("/logout")
 async def logout(request: Request, response: Response):
     """Logout the user by calling the on_logout callback."""
-    clear_auth_cookie(response)
-
     if config.code.on_logout:
         return await config.code.on_logout(request, response)
-
     return {"success": True}
 
 
-@router.post("/auth/jwt")
-async def jwt_auth(request: Request):
-    """Login a user using a valid jwt."""
-    from jwt import InvalidTokenError
-
-    auth_header: Optional[str] = request.headers.get("Authorization")
-    if not auth_header:
-        raise HTTPException(status_code=401, detail="Authorization header missing")
-
-    # Check if it starts with "Bearer "
-    try:
-        scheme, token = auth_header.split()
-        if scheme.lower() != "bearer":
-            raise HTTPException(
-                status_code=401,
-                detail="Invalid authentication scheme. Please use Bearer",
-            )
-    except ValueError:
-        raise HTTPException(
-            status_code=401, detail="Invalid authorization header format"
-        )
-
-    try:
-        user = decode_jwt(token)
-        return await _authenticate_user(user)
-    except InvalidTokenError:
-        raise HTTPException(status_code=401, detail="Invalid token")
-
-
 @router.post("/auth/header")
 async def header_auth(request: Request):
     """Login a user using the header_auth_callback."""
@@ -556,7 +412,23 @@ async def header_auth(request: Request):
 
     user = await config.code.header_auth_callback(request.headers)
 
-    return await _authenticate_user(user)
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Unauthorized",
+        )
+
+    access_token = create_jwt(user)
+    if data_layer := get_data_layer():
+        try:
+            await data_layer.create_user(user)
+        except Exception as e:
+            logger.error(f"Error creating user: {e}")
+
+    return {
+        "access_token": access_token,
+        "token_type": "bearer",
+    }
 
 
 @router.get("/auth/oauth/{provider_id}")
@@ -588,9 +460,16 @@ async def oauth_login(provider_id: str, request: Request):
     response = RedirectResponse(
         url=f"{provider.authorize_url}?{params}",
     )
-
-    set_oauth_state_cookie(response, random)
-
+    samesite: Any = os.environ.get("CHAINLIT_COOKIE_SAMESITE", "lax")
+    secure = samesite.lower() == "none"
+    response.set_cookie(
+        "oauth_state",
+        random,
+        httponly=True,
+        samesite=samesite,
+        secure=secure,
+        max_age=3 * 60,
+    )
     return response
 
 
@@ -618,7 +497,16 @@ async def oauth_callback(
         )
 
     if error:
-        return _get_oauth_redirect_error(error)
+        params = urllib.parse.urlencode(
+            {
+                "error": error,
+            }
+        )
+        response = RedirectResponse(
+            # FIXME: redirect to the right frontend base url to improve the dev environment
+            url=f"/login?{params}",
+        )
+        return response
 
     if not code or not state:
         raise HTTPException(
@@ -626,11 +514,9 @@ async def oauth_callback(
             detail="Missing code or state",
         )
 
-    try:
-        validate_oauth_state_cookie(request, state)
-    except Exception as e:
-        logger.exception("Unable to validate oauth state: %1", e)
-
+    # Check the state from the oauth provider against the browser cookie
+    oauth_state = request.cookies.get("oauth_state")
+    if oauth_state != state:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail="Unauthorized",
@@ -645,10 +531,34 @@ async def oauth_callback(
         provider_id, token, raw_user_data, default_user
     )
 
-    response = await _authenticate_user(user, redirect_to_callback=True)
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Unauthorized",
+        )
 
-    clear_oauth_state_cookie(response)
+    access_token = create_jwt(user)
 
+    if data_layer := get_data_layer():
+        try:
+            await data_layer.create_user(user)
+        except Exception as e:
+            logger.error(f"Error creating user: {e}")
+
+    params = urllib.parse.urlencode(
+        {
+            "access_token": access_token,
+            "token_type": "bearer",
+        }
+    )
+
+    root_path = os.environ.get("CHAINLIT_ROOT_PATH", "")
+
+    response = RedirectResponse(
+        # FIXME: redirect to the right frontend base url to improve the dev environment
+        url=f"{root_path}/login/callback?{params}",
+    )
+    response.delete_cookie("oauth_state")
     return response
 
 
@@ -677,7 +587,16 @@ async def oauth_azure_hf_callback(
         )
 
     if error:
-        return _get_oauth_redirect_error(error)
+        params = urllib.parse.urlencode(
+            {
+                "error": error,
+            }
+        )
+        response = RedirectResponse(
+            # FIXME: redirect to the right frontend base url to improve the dev environment
+            url=f"/login?{params}",
+        )
+        return response
 
     if not code:
         raise HTTPException(
@@ -694,20 +613,36 @@ async def oauth_azure_hf_callback(
         provider_id, token, raw_user_data, default_user, id_token
     )
 
-    response = await _authenticate_user(user, redirect_to_callback=True)
-
-    clear_oauth_state_cookie(response)
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Unauthorized",
+        )
 
-    return response
+    access_token = create_jwt(user)
 
+    if data_layer := get_data_layer():
+        try:
+            await data_layer.create_user(user)
+        except Exception as e:
+            logger.error(f"Error creating user: {e}")
 
-GenericUser = Union[User, PersistedUser, None]
-UserParam = Annotated[GenericUser, Depends(get_current_user)]
+    params = urllib.parse.urlencode(
+        {
+            "access_token": access_token,
+            "token_type": "bearer",
+        }
+    )
 
+    root_path = os.environ.get("CHAINLIT_ROOT_PATH", "")
 
-@router.get("/user")
-async def get_user(current_user: UserParam) -> GenericUser:
-    return current_user
+    response = RedirectResponse(
+        # FIXME: redirect to the right frontend base url to improve the dev environment
+        url=f"{root_path}/login/callback?{params}",
+        status_code=302,
+    )
+    response.delete_cookie("oauth_state")
+    return response
 
 
 _language_pattern = (
@@ -735,7 +670,7 @@ async def project_translations(
 
 @router.get("/project/settings")
 async def project_settings(
-    current_user: UserParam,
+    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
     language: str = Query(
         default="en-US", description="Language code", pattern=_language_pattern
     ),
@@ -786,7 +721,7 @@ async def project_settings(
 async def update_feedback(
     request: Request,
     update: UpdateFeedbackRequest,
-    current_user: UserParam,
+    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
 ):
     """Update the human feedback for a particular message."""
     data_layer = get_data_layer()
@@ -805,7 +740,7 @@ async def update_feedback(
 async def delete_feedback(
     request: Request,
     payload: DeleteFeedbackRequest,
-    current_user: UserParam,
+    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
 ):
     """Delete a feedback."""
 
@@ -824,7 +759,7 @@ async def delete_feedback(
 async def get_user_threads(
     request: Request,
     payload: GetThreadsRequest,
-    current_user: UserParam,
+    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
 ):
     """Get the threads page by page."""
 
@@ -833,9 +768,6 @@ async def get_user_threads(
     if not data_layer:
         raise HTTPException(status_code=400, detail="Data persistence is not enabled")
 
-    if not current_user:
-        raise HTTPException(status_code=401, detail="Unauthorized")
-
     if not isinstance(current_user, PersistedUser):
         persisted_user = await data_layer.get_user(identifier=current_user.identifier)
         if not persisted_user:
@@ -852,7 +784,7 @@ async def get_user_threads(
 async def get_thread(
     request: Request,
     thread_id: str,
-    current_user: UserParam,
+    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
 ):
     """Get a specific thread."""
     data_layer = get_data_layer()
@@ -860,9 +792,6 @@ async def get_thread(
     if not data_layer:
         raise HTTPException(status_code=400, detail="Data persistence is not enabled")
 
-    if not current_user:
-        raise HTTPException(status_code=401, detail="Unauthorized")
-
     await is_thread_author(current_user.identifier, thread_id)
 
     res = await data_layer.get_thread(thread_id)
@@ -874,7 +803,7 @@ async def get_thread_element(
     request: Request,
     thread_id: str,
     element_id: str,
-    current_user: UserParam,
+    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
 ):
     """Get a specific thread element."""
     data_layer = get_data_layer()
@@ -882,135 +811,17 @@ async def get_thread_element(
     if not data_layer:
         raise HTTPException(status_code=400, detail="Data persistence is not enabled")
 
-    if not current_user:
-        raise HTTPException(status_code=401, detail="Unauthorized")
-
     await is_thread_author(current_user.identifier, thread_id)
 
     res = await data_layer.get_element(thread_id, element_id)
     return JSONResponse(content=res)
 
 
-@router.put("/project/element")
-async def update_thread_element(
-    payload: ElementRequest,
-    current_user: UserParam,
-):
-    """Update a specific thread element."""
-
-    from chainlit.context import init_ws_context
-    from chainlit.element import CustomElement, ElementDict
-    from chainlit.session import WebsocketSession
-
-    session = WebsocketSession.get_by_id(payload.sessionId)
-    context = init_ws_context(session)
-
-    element_dict = cast(ElementDict, payload.element)
-
-    if element_dict["type"] != "custom":
-        return {"success": False}
-
-    element = CustomElement(
-        id=element_dict["id"],
-        object_key=element_dict["objectKey"],
-        chainlit_key=element_dict["chainlitKey"],
-        url=element_dict["url"],
-        for_id=element_dict.get("forId") or "",
-        thread_id=element_dict.get("threadId") or "",
-        name=element_dict["name"],
-        props=element_dict.get("props") or {},
-        display=element_dict["display"],
-    )
-
-    if current_user:
-        if (
-            not context.session.user
-            or context.session.user.identifier != current_user.identifier
-        ):
-            raise HTTPException(
-                status_code=401,
-                detail="You are not authorized to update elements for this session",
-            )
-
-    await element.send(for_id=element.for_id or "")
-    return {"success": True}
-
-
-@router.delete("/project/element")
-async def delete_thread_element(
-    payload: ElementRequest,
-    current_user: UserParam,
-):
-    """Delete a specific thread element."""
-
-    from chainlit.context import init_ws_context
-    from chainlit.element import CustomElement, ElementDict
-    from chainlit.session import WebsocketSession
-
-    session = WebsocketSession.get_by_id(payload.sessionId)
-    context = init_ws_context(session)
-
-    element_dict = cast(ElementDict, payload.element)
-
-    if element_dict["type"] != "custom":
-        return {"success": False}
-
-    element = CustomElement(
-        id=element_dict["id"],
-        object_key=element_dict["objectKey"],
-        chainlit_key=element_dict["chainlitKey"],
-        url=element_dict["url"],
-        for_id=element_dict.get("forId") or "",
-        thread_id=element_dict.get("threadId") or "",
-        name=element_dict["name"],
-        props=element_dict.get("props") or {},
-        display=element_dict["display"],
-    )
-
-    if current_user:
-        if (
-            not context.session.user
-            or context.session.user.identifier != current_user.identifier
-        ):
-            raise HTTPException(
-                status_code=401,
-                detail="You are not authorized to remove elements for this session",
-            )
-
-    await element.remove()
-
-    return {"success": True}
-
-
-@router.put("/project/thread")
-async def rename_thread(
-    request: Request,
-    payload: UpdateThreadRequest,
-    current_user: UserParam,
-):
-    """Rename a thread."""
-
-    data_layer = get_data_layer()
-
-    if not data_layer:
-        raise HTTPException(status_code=400, detail="Data persistence is not enabled")
-
-    if not current_user:
-        raise HTTPException(status_code=401, detail="Unauthorized")
-
-    thread_id = payload.threadId
-
-    await is_thread_author(current_user.identifier, thread_id)
-
-    await data_layer.update_thread(thread_id, name=payload.name)
-    return JSONResponse(content={"success": True})
-
-
 @router.delete("/project/thread")
 async def delete_thread(
     request: Request,
     payload: DeleteThreadRequest,
-    current_user: UserParam,
+    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
 ):
     """Delete a thread."""
 
@@ -1019,9 +830,6 @@ async def delete_thread(
     if not data_layer:
         raise HTTPException(status_code=400, detail="Data persistence is not enabled")
 
-    if not current_user:
-        raise HTTPException(status_code=401, detail="Unauthorized")
-
     thread_id = payload.threadId
 
     await is_thread_author(current_user.identifier, thread_id)
@@ -1030,47 +838,9 @@ async def delete_thread(
     return JSONResponse(content={"success": True})
 
 
-@router.post("/project/action")
-async def call_action(
-    payload: CallActionRequest,
-    current_user: UserParam,
-):
-    """Run an action."""
-
-    from chainlit.action import Action
-    from chainlit.context import init_ws_context
-    from chainlit.session import WebsocketSession
-
-    session = WebsocketSession.get_by_id(payload.sessionId)
-    context = init_ws_context(session)
-
-    action = Action(**payload.action)
-
-    if current_user:
-        if (
-            not context.session.user
-            or context.session.user.identifier != current_user.identifier
-        ):
-            raise HTTPException(
-                status_code=401,
-                detail="You are not authorized to upload files for this session",
-            )
-
-    callback = config.code.action_callbacks.get(action.name)
-    if callback:
-        await callback(action)
-    else:
-        raise HTTPException(
-            status_code=404,
-            detail=f"No callback found for action {action.name}",
-        )
-
-    return JSONResponse(content={"success": True})
-
-
 @router.post("/project/file")
 async def upload_file(
-    current_user: UserParam,
+    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
     session_id: str,
     file: UploadFile,
 ):
@@ -1100,11 +870,6 @@ async def upload_file(
     assert file.filename, "No filename for uploaded file"
     assert file.content_type, "No content type for uploaded file"
 
-    try:
-        validate_file_upload(file)
-    except ValueError as e:
-        raise HTTPException(status_code=400, detail=str(e))
-
     file_response = await session.persist_file(
         name=file.filename, content=content, mime=file.content_type
     )
@@ -1112,79 +877,14 @@ async def upload_file(
     return JSONResponse(content=file_response)
 
 
-def validate_file_upload(file: UploadFile):
-    """Validate the file upload as configured in config.features.spontaneous_file_upload.
-    Args:
-        file (UploadFile): The file to validate.
-    Raises:
-        ValueError: If the file is not allowed.
-    """
-    if config.features.spontaneous_file_upload is None:
-        """Default for a missing config is to allow the fileupload without any restrictions"""
-        return
-    if config.features.spontaneous_file_upload.enabled is False:
-        raise ValueError("File upload is not enabled")
-
-    validate_file_mime_type(file)
-    validate_file_size(file)
-
-
-def validate_file_mime_type(file: UploadFile):
-    """Validate the file mime type as configured in config.features.spontaneous_file_upload.
-    Args:
-        file (UploadFile): The file to validate.
-    Raises:
-        ValueError: If the file type is not allowed.
-    """
-    accept = config.features.spontaneous_file_upload.accept
-    if accept is None:
-        "Accept is not configured, allowing all file types"
-        return
-
-    assert (
-        isinstance(accept, List) or isinstance(accept, dict)
-    ), "Invalid configuration for spontaneous_file_upload, accept must be a list or a dict"
-
-    if isinstance(accept, List):
-        for pattern in accept:
-            if fnmatch.fnmatch(file.content_type, pattern):
-                return
-    elif isinstance(accept, dict):
-        for pattern, extensions in accept.items():
-            if fnmatch.fnmatch(file.content_type, pattern):
-                if len(extensions) == 0:
-                    return
-                for extension in extensions:
-                    if file.filename is not None and file.filename.endswith(extension):
-                        return
-    raise ValueError("File type not allowed")
-
-
-def validate_file_size(file: UploadFile):
-    """Validate the file size as configured in config.features.spontaneous_file_upload.
-    Args:
-        file (UploadFile): The file to validate.
-    Raises:
-        ValueError: If the file size is too large.
-    """
-    if config.features.spontaneous_file_upload.max_size_mb is None:
-        return
-
-    if (
-        file.size is not None
-        and file.size
-        > config.features.spontaneous_file_upload.max_size_mb * 1024 * 1024
-    ):
-        raise ValueError("File size too large")
-
-
 @router.get("/project/file/{file_id}")
 async def get_file(
     file_id: str,
     session_id: str,
-    current_user: UserParam,
+    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
 ):
     """Get a file from the session files directory."""
+
     from chainlit.session import WebsocketSession
 
     session = WebsocketSession.get_by_id(session_id) if session_id else None
@@ -1212,7 +912,7 @@ async def get_file(
 @router.get("/files/{filename:path}")
 async def serve_file(
     filename: str,
-    current_user: UserParam,
+    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
 ):
     """Serve a file from the local filesystem."""