fastworkflow 2.17.6__tar.gz → 2.17.8__tar.gz

{fastworkflow-2.17.6 → fastworkflow-2.17.8}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: fastworkflow
-Version: 2.17.6
+Version: 2.17.8
 Summary: A framework for rapidly building large-scale, deterministic, interactive workflows with a fault-tolerant, conversational UX
 License: Apache-2.0
 Keywords: fastworkflow,ai,workflow,llm,openai

{fastworkflow-2.17.6 → fastworkflow-2.17.8}/fastworkflow/run_fastapi_mcp/README.md

@@ -47,12 +47,67 @@ Configure in your environment (loaded at process startup via CLI args or env loa
 | Variable | Description | Required | Default |
 |----------|-------------|----------|---------|
 | `SPEEDDICT_FOLDERNAME` | Base folder for workflow contexts and conversation storage | Yes | - |
+| `--expect_encrypted_jwt` | Enable full JWT signature verification (pass flag to require signed tokens) | No | False (no verification by default) |
 
 Notes:
 - Conversation DBs are stored under `SPEEDDICT_FOLDERNAME/user_conversations` (directory is auto-created).
 - `/conversations` now accepts a `limit` query parameter (default `20`).
 - Shutdown waits up to 30 seconds for active turns (hard-coded).
 
+## JWT Verification Modes
+
+### Default Behavior: No Signature Verification
+By default, the service does NOT verify JWT signatures, accepting unsigned tokens for trusted internal networks where JWT is used purely for data transport:
+
+```bash
+uvicorn services.run_fastapi.main:app --workflow_path /path/to/workflow
+```
+
+**Use cases** (no verification):
+- Controlled internal networks with network-level security
+- Systems where JWT carries non-sensitive routing information
+- Trusted environments where data transport is the primary concern
+
+The service logs a warning on startup when running in this mode.
+
+### Secure Mode: Enable Signature Verification
+For production deployments requiring full RSA signature verification:
+
+```bash
+uvicorn services.run_fastapi.main:app --workflow_path /path/to/workflow --expect_encrypted_jwt
+```
+
+**Secure mode** (with `--expect_encrypted_jwt` flag):
+- JWT tokens are cryptographically verified using RSA signatures
+- Tokens without valid signatures are rejected
+- Recommended for production deployments in untrusted environments
+
+### Token Access in Workflow Context
+
+JWT tokens are automatically passed to workflows via the `workflow_context` parameter as `http_bearer_token`. This allows workflows to access the bearer token for making authenticated API calls or forwarding authentication.
+
+**Important notes:**
+- The token is **only available to authenticated endpoints** (those using `get_session_and_ensure_runtime` dependency)
+- The token is stored in the workflow context dictionary under the key `http_bearer_token`
+- Token is **automatically updated** on every authenticated request, ensuring workflows always have the current valid token
+- Token expiration is **automatically verified** by `verify_token()` in both secure mode (`--expect_encrypted_jwt` flag) and trusted network mode
+- In secure mode: Full cryptographic signature verification + expiration checking
+- In trusted network mode: Expiration checking is performed (signature verification disabled)
+- Tokens should be treated as sensitive data and handled securely in workflows
+- The `/initialize` endpoint is unauthenticated and does NOT provide a token to the workflow context; tokens are only available after calling `/initialize` and using the returned token in subsequent requests
+
+**Example usage in workflow:**
+
+```python
+# In workflow code
+workflow_context = self._context  # Gets the workflow_context
+bearer_token = workflow_context.get('http_bearer_token')
+
+# Use token for API calls
+headers = {"Authorization": f"Bearer {bearer_token}"}
+response = requests.get("https://api.example.com/data", headers=headers)
+```
+
 ## API Endpoints (REST)
 
 ### `POST /initialize`

{fastworkflow-2.17.6 → fastworkflow-2.17.8}/fastworkflow/run_fastapi_mcp/__main__.py

@@ -61,6 +61,7 @@ from .jwt_manager import (
     create_access_token,
     create_refresh_token,
     verify_token,
+    set_jwt_verification_mode,
     JWT_ACCESS_TOKEN_EXPIRE_MINUTES
 )
 
@@ -125,7 +126,8 @@ async def get_session_and_ensure_runtime(
         workflow_path=ARGS.workflow_path,
         context=json.loads(ARGS.context) if ARGS.context else None,
         startup_command=ARGS.startup_command,
-        startup_action=fastworkflow.Action(**json.loads(ARGS.startup_action)) if ARGS.startup_action else None
+        startup_action=fastworkflow.Action(**json.loads(ARGS.startup_action)) if ARGS.startup_action else None,
+        http_bearer_token=session.http_bearer_token
     )
     
     return session
@@ -148,6 +150,9 @@ async def lifespan(_app: FastAPI):
         if ARGS.passwords_file_path:
             env_vars.update(dotenv_values(ARGS.passwords_file_path))
         fastworkflow.init(env_vars=env_vars)
+        
+        # Configure JWT verification mode based on CLI parameter
+        set_jwt_verification_mode(ARGS.expect_encrypted_jwt)
 
     async def _active_turn_user_ids() -> list[str]:
         active: list[str] = []
@@ -219,6 +224,8 @@ def load_args():
     parser.add_argument("--project_folderpath", required=False)
     parser.add_argument("--port", type=int, default=8000, help="Port to run the server on (default: 8000)")
     parser.add_argument("--host", default="0.0.0.0", help="Host to bind the server to (default: 0.0.0.0)")
+    parser.add_argument("--expect_encrypted_jwt", action="store_true", default=False,
+                       help="Enable JWT signature verification (default: unsigned tokens accepted for trusted networks)")
     return parser.parse_args()
 
 ARGS = load_args()
@@ -251,13 +258,11 @@ def custom_openapi():
     
     # Enhance the auto-generated Bearer token security scheme with better documentation
     # The HTTPBearer dependency in utils.py creates the base scheme, we just improve it
-    if "components" in openapi_schema and "securitySchemes" in openapi_schema["components"]:
-        if "BearerAuth" in openapi_schema["components"]["securitySchemes"]:
-            # Update the description to be more helpful
-            openapi_schema["components"]["securitySchemes"]["BearerAuth"]["description"] = (
-                "JWT access token from /initialize or /refresh_token endpoint. "
-                "Enter ONLY the token (Swagger UI automatically adds 'Bearer ' prefix)"
-            )
+    if "components" in openapi_schema and "securitySchemes" in openapi_schema["components"] and "BearerAuth" in openapi_schema["components"]["securitySchemes"]:
+        openapi_schema["components"]["securitySchemes"]["BearerAuth"]["description"] = (
+            "JWT access token from /initialize or /refresh_token endpoint. "
+            "Enter ONLY the token (Swagger UI automatically adds 'Bearer ' prefix)"
+        )
     
     # Apply security globally to all endpoints except public ones
     for path, path_item in openapi_schema["paths"].items():
@@ -265,10 +270,8 @@ def custom_openapi():
         if path in ["/initialize", "/refresh_token", "/", "/admin/dump_all_conversations", "/admin/generate_mcp_token"]:
             continue
         for method in path_item:
-            if method in ["get", "post", "put", "delete", "patch"]:
-                # Ensure security is applied (should already be set by HTTPBearer dependency)
-                if "security" not in path_item[method]:
-                    path_item[method]["security"] = [{"BearerAuth": []}]
+            if method in ["get", "post", "put", "delete", "patch"] and "security" not in path_item[method]:
+                path_item[method]["security"] = [{"BearerAuth": []}]
     
     app.openapi_schema = openapi_schema
     return app.openapi_schema

{fastworkflow-2.17.6 → fastworkflow-2.17.8}/fastworkflow/run_fastapi_mcp/jwt_manager.py

@@ -34,6 +34,9 @@ PUBLIC_KEY_PATH = os.path.join(KEYS_DIR, "public_key.pem")
 _private_key: Optional[str] = None
 _public_key: Optional[str] = None
 
+# Flag to control JWT verification behavior (set from CLI)
+EXPECT_ENCRYPTED_JWT = True  # Default to secure mode
+
 
 def ensure_keys_directory() -> None:
     """Create jwt_keys directory if it doesn't exist."""
@@ -129,19 +132,42 @@ def load_or_generate_keys() -> tuple[str, str]:
     return _private_key, _public_key
 
 
+def set_jwt_verification_mode(expect_encrypted: bool) -> None:
+    """
+    Configure JWT verification mode for trusted network scenarios.
+    
+    When expect_encrypted=False, JWT tokens are decoded without signature verification.
+    This mode is ONLY suitable for trusted internal networks where JWT is used for
+    data transport rather than security.
+    
+    WARNING: Disabling signature verification allows any client to forge tokens.
+    Only use in controlled environments.
+    """
+    global EXPECT_ENCRYPTED_JWT
+    EXPECT_ENCRYPTED_JWT = expect_encrypted
+    if not expect_encrypted:
+        logger.warning(
+            "JWT signature verification DISABLED. "
+            "Tokens will be accepted without cryptographic validation. "
+            "Only use in trusted internal networks."
+        )
+
+
 def create_access_token(user_id: str, expires_days: int | None = None) -> str:
     """
     Create a JWT access token for a user.
     
+    Behavior depends on EXPECT_ENCRYPTED_JWT flag:
+    - If True: Creates a signed token using RSA algorithm
+    - If False: Creates an unsigned token for trusted network use
+    
     Args:
         user_id: User identifier
         expires_days: Optional custom expiration in days. If None, uses JWT_ACCESS_TOKEN_EXPIRE_MINUTES (default 60 minutes).
         
     Returns:
-        str: Encoded JWT access token
+        str: Encoded JWT access token (signed or unsigned based on EXPECT_ENCRYPTED_JWT)
     """
-    private_key, _ = load_or_generate_keys()
-    
     now = datetime.now(timezone.utc)
     if expires_days is not None:
         expire = now + timedelta(days=expires_days)
@@ -159,8 +185,17 @@ def create_access_token(user_id: str, expires_days: int | None = None) -> str:
         "aud": JWT_AUDIENCE  # Audience
     }
     
-    token = jwt.encode(payload, private_key, algorithm=JWT_ALGORITHM)
-    logger.debug(f"Created access token for user_id: {user_id}, expires: {expire.isoformat()}")
+    if EXPECT_ENCRYPTED_JWT:
+        # Secure mode: create signed token
+        private_key, _ = load_or_generate_keys()
+        token = jwt.encode(payload, private_key, algorithm=JWT_ALGORITHM)
+        logger.debug(f"Created signed access token for user_id: {user_id}, expires: {expire.isoformat()}")
+    else:
+        # Trusted network mode: create unsigned token using HS256 with empty key
+        # This creates a JWT that can be decoded without verification
+        token = jwt.encode(payload, "", algorithm="HS256")
+        logger.debug(f"Created unsigned access token for user_id: {user_id}, expires: {expire.isoformat()}")
+    
     return token
 
 
@@ -168,14 +203,16 @@ def create_refresh_token(user_id: str) -> str:
     """
     Create a JWT refresh token for a user.
     
+    Behavior depends on EXPECT_ENCRYPTED_JWT flag:
+    - If True: Creates a signed token using RSA algorithm
+    - If False: Creates an unsigned token for trusted network use
+    
     Args:
         user_id: User identifier
         
     Returns:
-        str: Encoded JWT refresh token
+        str: Encoded JWT refresh token (signed or unsigned based on EXPECT_ENCRYPTED_JWT)
     """
-    private_key, _ = load_or_generate_keys()
-    
     now = datetime.now(timezone.utc)
     expire = now + timedelta(days=JWT_REFRESH_TOKEN_EXPIRE_DAYS)
     
@@ -190,15 +227,29 @@ def create_refresh_token(user_id: str) -> str:
         "aud": JWT_AUDIENCE  # Audience
     }
     
-    token = jwt.encode(payload, private_key, algorithm=JWT_ALGORITHM)
-    logger.debug(f"Created refresh token for user_id: {user_id}, expires: {expire.isoformat()}")
+    if EXPECT_ENCRYPTED_JWT:
+        # Secure mode: create signed token
+        private_key, _ = load_or_generate_keys()
+        token = jwt.encode(payload, private_key, algorithm=JWT_ALGORITHM)
+        logger.debug(f"Created signed refresh token for user_id: {user_id}, expires: {expire.isoformat()}")
+    else:
+        # Trusted network mode: create unsigned token using HS256 with empty key
+        # This creates a JWT that can be decoded without verification
+        token = jwt.encode(payload, "", algorithm="HS256")
+        logger.debug(f"Created unsigned refresh token for user_id: {user_id}, expires: {expire.isoformat()}")
+    
     return token
 
 
 def verify_token(token: str, expected_type: str = "access") -> dict:
+    # sourcery skip: extract-duplicate-method
     """
     Verify and decode a JWT token.
     
+    Behavior depends on EXPECT_ENCRYPTED_JWT flag:
+    - If True (default): Full cryptographic verification with signature check
+    - If False: Extract payload without verification (trusted network mode)
+    
     Args:
         token: JWT token string
         expected_type: Expected token type ("access" or "refresh")
@@ -209,8 +260,33 @@ def verify_token(token: str, expected_type: str = "access") -> dict:
     Raises:
         JWTError: If token is invalid, expired, or type mismatch
     """
+    if not EXPECT_ENCRYPTED_JWT:
+        # Trusted network mode: decode without verification (accepts both unsigned and signed tokens)
+        try:
+            # Use unverified decoding - works for any JWT regardless of algorithm or signing
+            payload = jwt.get_unverified_claims(token)
+        except Exception as e:
+            logger.warning(f"Token decoding failed: {e}")
+            raise JWTError(f"Failed to decode token: {e}") from e
+        
+        # Manually check expiration even in unverified mode
+        if exp_timestamp := payload.get("exp"):
+            import time
+            current_time = int(time.time())
+            if exp_timestamp < current_time:
+                logger.warning(f"Token expired: exp={exp_timestamp}, now={current_time}")
+                raise JWTError("Token has expired")
+        
+        # Validate token type for consistency (outside try-except to allow JWTError to propagate)
+        if payload.get("type") != expected_type:
+            raise JWTError(f"Invalid token type: expected {expected_type}, got {payload.get('type')}")
+        
+        logger.debug(f"Token decoded (unverified mode): user_id={payload.get('sub')}, type={expected_type}")
+        return payload
+
+    # Standard mode: full verification (existing code)
     _, public_key = load_or_generate_keys()
-    
+
     try:
         # Decode and verify token
         payload = jwt.decode(
@@ -220,14 +296,14 @@ def verify_token(token: str, expected_type: str = "access") -> dict:
             issuer=JWT_ISSUER,
             audience=JWT_AUDIENCE
         )
-        
+
         # Verify token type
         if payload.get("type") != expected_type:
             raise JWTError(f"Invalid token type: expected {expected_type}, got {payload.get('type')}")
-        
+
         logger.debug(f"Token verified successfully: user_id={payload.get('sub')}, type={expected_type}")
         return payload
-        
+
     except JWTError as e:
         logger.warning(f"Token verification failed: {e}")
         raise
@@ -247,8 +323,7 @@ def get_token_expiry(token: str) -> Optional[datetime]:
     try:
         # Decode without verification (just to inspect claims)
         payload = jwt.get_unverified_claims(token)
-        exp_timestamp = payload.get("exp")
-        if exp_timestamp:
+        if exp_timestamp := payload.get("exp"):
             return datetime.fromtimestamp(exp_timestamp, tz=timezone.utc)
     except Exception as e:
         logger.debug(f"Failed to get token expiry: {e}")

{fastworkflow-2.17.6 → fastworkflow-2.17.8}/fastworkflow/run_fastapi_mcp/utils.py

@@ -42,6 +42,7 @@ class SessionData(BaseModel):
     issued_at: int  # Unix timestamp
     expires_at: int  # Unix timestamp
     jti: str  # JWT ID (unique token identifier)
+    http_bearer_token: Optional[str] = None  # The actual JWT token string for workflow context access
 
 
 class InvokeRequest(BaseModel):
@@ -169,32 +170,33 @@ def get_session_from_jwt(
     """
     # Extract token from credentials (already validated by HTTPBearer)
     token = credentials.credentials
-    
+
     # Verify and decode token
     try:
         payload = verify_token(token, expected_type="access")
-        
-        # Extract session data from payload
+
+        # Extract session data from payload, including the token for workflow context
         return SessionData(
             user_id=payload["sub"],
             token_type=payload["type"],
             issued_at=payload["iat"],
             expires_at=payload["exp"],
-            jti=payload["jti"]
+            jti=payload["jti"],
+            http_bearer_token=token  # Store the actual token for workflow access
         )
-        
+
     except JWTError as e:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail=f"Invalid or expired token: {str(e)}",
-            headers={"WWW-Authenticate": "Bearer"}
-        )
+            headers={"WWW-Authenticate": "Bearer"},
+        ) from e
     except KeyError as e:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail=f"Token missing required claim: {str(e)}",
-            headers={"WWW-Authenticate": "Bearer"}
-        )
+            headers={"WWW-Authenticate": "Bearer"},
+        ) from e
 
 
 async def ensure_user_runtime_exists(
@@ -204,7 +206,8 @@ async def ensure_user_runtime_exists(
     context: Optional[dict] = None,
     startup_command: Optional[str] = None,
     startup_action: Optional['fastworkflow.Action'] = None,
-    stream_format: str = "ndjson"
+    stream_format: str = "ndjson",
+    http_bearer_token: Optional[str] = None
 ) -> None:
     """
     Ensure a user runtime exists in the session manager. If not, create it.
@@ -220,6 +223,7 @@ async def ensure_user_runtime_exists(
         startup_command: Optional startup command
         startup_action: Optional startup action
         stream_format: Stream format preference ("ndjson" or "sse", default "ndjson")
+        http_bearer_token: Optional JWT token to update in workflow context
         
     Raises:
         HTTPException: If session creation fails
@@ -228,8 +232,30 @@ async def ensure_user_runtime_exists(
     existing_runtime = await session_manager.get_session(user_id)
     if existing_runtime:
         logger.debug(f"Session for user_id {user_id} already exists, skipping creation")
+        
+        # Update the workflow's context with the current token if provided
+        if http_bearer_token and existing_runtime.chat_session:
+            active_workflow = existing_runtime.chat_session.get_active_workflow()
+            if active_workflow and active_workflow.context:
+                # Update the workflow's context with the current token
+                # Note: We mutate the dictionary in-place (no setter call), which means:
+                # 1. The change is immediate and visible to workflow code
+                # 2. The workflow is NOT marked dirty (won't persist to disk)
+                # 3. This is intentional for JWT tokens - we don't want to persist sensitive tokens
+                active_workflow.context['http_bearer_token'] = http_bearer_token
+                logger.debug(f"Updated http_bearer_token in workflow context for user_id {user_id}")
+        
         return
     
+    # Prepare workflow context, ensuring http_bearer_token is available
+    if http_bearer_token:
+        if context:
+            # Add or replace http_bearer_token in the context
+            context['http_bearer_token'] = http_bearer_token
+        else:
+            # Initialize context with http_bearer_token
+            context = {'http_bearer_token': http_bearer_token}
+    
     logger.info(f"Creating new session for user_id: {user_id}")
     
     # Resolve conversation store base folder from SPEEDDICT_FOLDERNAME/user_conversations

{fastworkflow-2.17.6 → fastworkflow-2.17.8}/pyproject.toml

@@ -9,7 +9,7 @@ repository = "https://github.com/radiantlogicinc/fastworkflow"
 
 [tool.poetry]
 name = "fastworkflow"
-version = "2.17.6"
+version = "2.17.8"
 description = "A framework for rapidly building large-scale, deterministic, interactive workflows with a fault-tolerant, conversational UX"
 authors = ["Dhar Rawal <drawal@radiantlogic.com>"]
 license = "Apache-2.0"