fastworkflow 2.17.6__tar.gz → 2.17.7__tar.gz

{fastworkflow-2.17.6 → fastworkflow-2.17.7}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: fastworkflow
-Version: 2.17.6
+Version: 2.17.7
 Summary: A framework for rapidly building large-scale, deterministic, interactive workflows with a fault-tolerant, conversational UX
 License: Apache-2.0
 Keywords: fastworkflow,ai,workflow,llm,openai

{fastworkflow-2.17.6 → fastworkflow-2.17.7}/fastworkflow/run_fastapi_mcp/README.md

@@ -47,12 +47,41 @@ Configure in your environment (loaded at process startup via CLI args or env loa
 | Variable | Description | Required | Default |
 |----------|-------------|----------|---------|
 | `SPEEDDICT_FOLDERNAME` | Base folder for workflow contexts and conversation storage | Yes | - |
+| `--expect_encrypted_jwt` | Enable full JWT signature verification (pass flag to require signed tokens) | No | False (no verification by default) |
 
 Notes:
 - Conversation DBs are stored under `SPEEDDICT_FOLDERNAME/user_conversations` (directory is auto-created).
 - `/conversations` now accepts a `limit` query parameter (default `20`).
 - Shutdown waits up to 30 seconds for active turns (hard-coded).
 
+## JWT Verification Modes
+
+### Default Behavior: No Signature Verification
+By default, the service does NOT verify JWT signatures, accepting unsigned tokens for trusted internal networks where JWT is used purely for data transport:
+
+```bash
+uvicorn services.run_fastapi.main:app --workflow_path /path/to/workflow
+```
+
+**Use cases** (no verification):
+- Controlled internal networks with network-level security
+- Systems where JWT carries non-sensitive routing information
+- Trusted environments where data transport is the primary concern
+
+The service logs a warning on startup when running in this mode.
+
+### Secure Mode: Enable Signature Verification
+For production deployments requiring full RSA signature verification:
+
+```bash
+uvicorn services.run_fastapi.main:app --workflow_path /path/to/workflow --expect_encrypted_jwt
+```
+
+**Secure mode** (with `--expect_encrypted_jwt` flag):
+- JWT tokens are cryptographically verified using RSA signatures
+- Tokens without valid signatures are rejected
+- Recommended for production deployments in untrusted environments
+
 ## API Endpoints (REST)
 
 ### `POST /initialize`

{fastworkflow-2.17.6 → fastworkflow-2.17.7}/fastworkflow/run_fastapi_mcp/__main__.py

@@ -61,6 +61,7 @@ from .jwt_manager import (
     create_access_token,
     create_refresh_token,
     verify_token,
+    set_jwt_verification_mode,
     JWT_ACCESS_TOKEN_EXPIRE_MINUTES
 )
 
@@ -148,6 +149,9 @@ async def lifespan(_app: FastAPI):
         if ARGS.passwords_file_path:
             env_vars.update(dotenv_values(ARGS.passwords_file_path))
         fastworkflow.init(env_vars=env_vars)
+        
+        # Configure JWT verification mode based on CLI parameter
+        set_jwt_verification_mode(ARGS.expect_encrypted_jwt)
 
     async def _active_turn_user_ids() -> list[str]:
         active: list[str] = []
@@ -219,6 +223,8 @@ def load_args():
     parser.add_argument("--project_folderpath", required=False)
     parser.add_argument("--port", type=int, default=8000, help="Port to run the server on (default: 8000)")
     parser.add_argument("--host", default="0.0.0.0", help="Host to bind the server to (default: 0.0.0.0)")
+    parser.add_argument("--expect_encrypted_jwt", action="store_true", default=False,
+                       help="Enable JWT signature verification (default: unsigned tokens accepted for trusted networks)")
     return parser.parse_args()
 
 ARGS = load_args()
@@ -251,13 +257,11 @@ def custom_openapi():
     
     # Enhance the auto-generated Bearer token security scheme with better documentation
     # The HTTPBearer dependency in utils.py creates the base scheme, we just improve it
-    if "components" in openapi_schema and "securitySchemes" in openapi_schema["components"]:
-        if "BearerAuth" in openapi_schema["components"]["securitySchemes"]:
-            # Update the description to be more helpful
-            openapi_schema["components"]["securitySchemes"]["BearerAuth"]["description"] = (
-                "JWT access token from /initialize or /refresh_token endpoint. "
-                "Enter ONLY the token (Swagger UI automatically adds 'Bearer ' prefix)"
-            )
+    if "components" in openapi_schema and "securitySchemes" in openapi_schema["components"] and "BearerAuth" in openapi_schema["components"]["securitySchemes"]:
+        openapi_schema["components"]["securitySchemes"]["BearerAuth"]["description"] = (
+            "JWT access token from /initialize or /refresh_token endpoint. "
+            "Enter ONLY the token (Swagger UI automatically adds 'Bearer ' prefix)"
+        )
     
     # Apply security globally to all endpoints except public ones
     for path, path_item in openapi_schema["paths"].items():
@@ -265,10 +269,8 @@ def custom_openapi():
         if path in ["/initialize", "/refresh_token", "/", "/admin/dump_all_conversations", "/admin/generate_mcp_token"]:
             continue
         for method in path_item:
-            if method in ["get", "post", "put", "delete", "patch"]:
-                # Ensure security is applied (should already be set by HTTPBearer dependency)
-                if "security" not in path_item[method]:
-                    path_item[method]["security"] = [{"BearerAuth": []}]
+            if method in ["get", "post", "put", "delete", "patch"] and "security" not in path_item[method]:
+                path_item[method]["security"] = [{"BearerAuth": []}]
     
     app.openapi_schema = openapi_schema
     return app.openapi_schema

{fastworkflow-2.17.6 → fastworkflow-2.17.7}/fastworkflow/run_fastapi_mcp/jwt_manager.py

@@ -34,6 +34,9 @@ PUBLIC_KEY_PATH = os.path.join(KEYS_DIR, "public_key.pem")
 _private_key: Optional[str] = None
 _public_key: Optional[str] = None
 
+# Flag to control JWT verification behavior (set from CLI)
+EXPECT_ENCRYPTED_JWT = True  # Default to secure mode
+
 
 def ensure_keys_directory() -> None:
     """Create jwt_keys directory if it doesn't exist."""
@@ -129,19 +132,42 @@ def load_or_generate_keys() -> tuple[str, str]:
     return _private_key, _public_key
 
 
+def set_jwt_verification_mode(expect_encrypted: bool) -> None:
+    """
+    Configure JWT verification mode for trusted network scenarios.
+    
+    When expect_encrypted=False, JWT tokens are decoded without signature verification.
+    This mode is ONLY suitable for trusted internal networks where JWT is used for
+    data transport rather than security.
+    
+    WARNING: Disabling signature verification allows any client to forge tokens.
+    Only use in controlled environments.
+    """
+    global EXPECT_ENCRYPTED_JWT
+    EXPECT_ENCRYPTED_JWT = expect_encrypted
+    if not expect_encrypted:
+        logger.warning(
+            "JWT signature verification DISABLED. "
+            "Tokens will be accepted without cryptographic validation. "
+            "Only use in trusted internal networks."
+        )
+
+
 def create_access_token(user_id: str, expires_days: int | None = None) -> str:
     """
     Create a JWT access token for a user.
     
+    Behavior depends on EXPECT_ENCRYPTED_JWT flag:
+    - If True: Creates a signed token using RSA algorithm
+    - If False: Creates an unsigned token for trusted network use
+    
     Args:
         user_id: User identifier
         expires_days: Optional custom expiration in days. If None, uses JWT_ACCESS_TOKEN_EXPIRE_MINUTES (default 60 minutes).
         
     Returns:
-        str: Encoded JWT access token
+        str: Encoded JWT access token (signed or unsigned based on EXPECT_ENCRYPTED_JWT)
     """
-    private_key, _ = load_or_generate_keys()
-    
     now = datetime.now(timezone.utc)
     if expires_days is not None:
         expire = now + timedelta(days=expires_days)
@@ -159,8 +185,17 @@ def create_access_token(user_id: str, expires_days: int | None = None) -> str:
         "aud": JWT_AUDIENCE  # Audience
     }
     
-    token = jwt.encode(payload, private_key, algorithm=JWT_ALGORITHM)
-    logger.debug(f"Created access token for user_id: {user_id}, expires: {expire.isoformat()}")
+    if EXPECT_ENCRYPTED_JWT:
+        # Secure mode: create signed token
+        private_key, _ = load_or_generate_keys()
+        token = jwt.encode(payload, private_key, algorithm=JWT_ALGORITHM)
+        logger.debug(f"Created signed access token for user_id: {user_id}, expires: {expire.isoformat()}")
+    else:
+        # Trusted network mode: create unsigned token using HS256 with empty key
+        # This creates a JWT that can be decoded without verification
+        token = jwt.encode(payload, "", algorithm="HS256")
+        logger.debug(f"Created unsigned access token for user_id: {user_id}, expires: {expire.isoformat()}")
+    
     return token
 
 
@@ -168,14 +203,16 @@ def create_refresh_token(user_id: str) -> str:
     """
     Create a JWT refresh token for a user.
     
+    Behavior depends on EXPECT_ENCRYPTED_JWT flag:
+    - If True: Creates a signed token using RSA algorithm
+    - If False: Creates an unsigned token for trusted network use
+    
     Args:
         user_id: User identifier
         
     Returns:
-        str: Encoded JWT refresh token
+        str: Encoded JWT refresh token (signed or unsigned based on EXPECT_ENCRYPTED_JWT)
     """
-    private_key, _ = load_or_generate_keys()
-    
     now = datetime.now(timezone.utc)
     expire = now + timedelta(days=JWT_REFRESH_TOKEN_EXPIRE_DAYS)
     
@@ -190,15 +227,29 @@ def create_refresh_token(user_id: str) -> str:
         "aud": JWT_AUDIENCE  # Audience
     }
     
-    token = jwt.encode(payload, private_key, algorithm=JWT_ALGORITHM)
-    logger.debug(f"Created refresh token for user_id: {user_id}, expires: {expire.isoformat()}")
+    if EXPECT_ENCRYPTED_JWT:
+        # Secure mode: create signed token
+        private_key, _ = load_or_generate_keys()
+        token = jwt.encode(payload, private_key, algorithm=JWT_ALGORITHM)
+        logger.debug(f"Created signed refresh token for user_id: {user_id}, expires: {expire.isoformat()}")
+    else:
+        # Trusted network mode: create unsigned token using HS256 with empty key
+        # This creates a JWT that can be decoded without verification
+        token = jwt.encode(payload, "", algorithm="HS256")
+        logger.debug(f"Created unsigned refresh token for user_id: {user_id}, expires: {expire.isoformat()}")
+    
     return token
 
 
 def verify_token(token: str, expected_type: str = "access") -> dict:
+    # sourcery skip: extract-duplicate-method
     """
     Verify and decode a JWT token.
     
+    Behavior depends on EXPECT_ENCRYPTED_JWT flag:
+    - If True (default): Full cryptographic verification with signature check
+    - If False: Extract payload without verification (trusted network mode)
+    
     Args:
         token: JWT token string
         expected_type: Expected token type ("access" or "refresh")
@@ -209,8 +260,25 @@ def verify_token(token: str, expected_type: str = "access") -> dict:
     Raises:
         JWTError: If token is invalid, expired, or type mismatch
     """
+    if not EXPECT_ENCRYPTED_JWT:
+        # Trusted network mode: decode without verification (accepts both unsigned and signed tokens)
+        try:
+            # Use unverified decoding - works for any JWT regardless of algorithm or signing
+            payload = jwt.get_unverified_claims(token)
+        except Exception as e:
+            logger.warning(f"Token decoding failed: {e}")
+            raise JWTError(f"Failed to decode token: {e}") from e
+        
+        # Validate token type for consistency (outside try-except to allow JWTError to propagate)
+        if payload.get("type") != expected_type:
+            raise JWTError(f"Invalid token type: expected {expected_type}, got {payload.get('type')}")
+        
+        logger.debug(f"Token decoded (unverified mode): user_id={payload.get('sub')}, type={expected_type}")
+        return payload
+
+    # Standard mode: full verification (existing code)
     _, public_key = load_or_generate_keys()
-    
+
     try:
         # Decode and verify token
         payload = jwt.decode(
@@ -220,14 +288,14 @@ def verify_token(token: str, expected_type: str = "access") -> dict:
             issuer=JWT_ISSUER,
             audience=JWT_AUDIENCE
         )
-        
+
         # Verify token type
         if payload.get("type") != expected_type:
             raise JWTError(f"Invalid token type: expected {expected_type}, got {payload.get('type')}")
-        
+
         logger.debug(f"Token verified successfully: user_id={payload.get('sub')}, type={expected_type}")
         return payload
-        
+
     except JWTError as e:
         logger.warning(f"Token verification failed: {e}")
         raise
@@ -247,8 +315,7 @@ def get_token_expiry(token: str) -> Optional[datetime]:
     try:
         # Decode without verification (just to inspect claims)
         payload = jwt.get_unverified_claims(token)
-        exp_timestamp = payload.get("exp")
-        if exp_timestamp:
+        if exp_timestamp := payload.get("exp"):
             return datetime.fromtimestamp(exp_timestamp, tz=timezone.utc)
     except Exception as e:
         logger.debug(f"Failed to get token expiry: {e}")

{fastworkflow-2.17.6 → fastworkflow-2.17.7}/fastworkflow/run_fastapi_mcp/utils.py

@@ -169,11 +169,11 @@ def get_session_from_jwt(
     """
     # Extract token from credentials (already validated by HTTPBearer)
     token = credentials.credentials
-    
+
     # Verify and decode token
     try:
         payload = verify_token(token, expected_type="access")
-        
+
         # Extract session data from payload
         return SessionData(
             user_id=payload["sub"],
@@ -182,19 +182,19 @@ def get_session_from_jwt(
             expires_at=payload["exp"],
             jti=payload["jti"]
         )
-        
+
     except JWTError as e:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail=f"Invalid or expired token: {str(e)}",
-            headers={"WWW-Authenticate": "Bearer"}
-        )
+            headers={"WWW-Authenticate": "Bearer"},
+        ) from e
     except KeyError as e:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail=f"Token missing required claim: {str(e)}",
-            headers={"WWW-Authenticate": "Bearer"}
-        )
+            headers={"WWW-Authenticate": "Bearer"},
+        ) from e
 
 
 async def ensure_user_runtime_exists(

{fastworkflow-2.17.6 → fastworkflow-2.17.7}/pyproject.toml

@@ -9,7 +9,7 @@ repository = "https://github.com/radiantlogicinc/fastworkflow"
 
 [tool.poetry]
 name = "fastworkflow"
-version = "2.17.6"
+version = "2.17.7"
 description = "A framework for rapidly building large-scale, deterministic, interactive workflows with a fault-tolerant, conversational UX"
 authors = ["Dhar Rawal <drawal@radiantlogic.com>"]
 license = "Apache-2.0"