langchain-trigger-server 0.1.6__tar.gz → 0.1.7__tar.gz

{langchain_trigger_server-0.1.6 → langchain_trigger_server-0.1.7}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: langchain-trigger-server
-Version: 0.1.6
+Version: 0.1.7
 Summary: Generic event-driven triggers framework
 Project-URL: Homepage, https://github.com/langchain-ai/open-agent-platform
 Project-URL: Repository, https://github.com/langchain-ai/open-agent-platform
@@ -16,12 +16,14 @@ Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Requires-Python: >=3.9
+Requires-Dist: cryptography>=3.0.0
 Requires-Dist: fastapi>=0.100.0
 Requires-Dist: httpx>=0.24.0
 Requires-Dist: langgraph-sdk>=0.2.6
 Requires-Dist: pydantic>=2.0.0
 Requires-Dist: python-jose[cryptography]>=3.3.0
 Requires-Dist: python-multipart>=0.0.6
+Requires-Dist: supabase>=2.0.0
 Requires-Dist: uvicorn[standard]>=0.20.0
 Provides-Extra: dev
 Requires-Dist: black>=23.0.0; extra == 'dev'

{langchain_trigger_server-0.1.6 → langchain_trigger_server-0.1.7}/langchain_triggers/app.py

@@ -242,6 +242,29 @@ class TriggerServer:
                 if not trigger:
                     raise HTTPException(status_code=400, detail=f"Unknown trigger type: {trigger_id}")
                 
+                # Parse payload into registration model first
+                try:
+                    registration_instance = trigger.registration_model(**payload)
+                except Exception as e:
+                    raise HTTPException(
+                        status_code=400,
+                        detail=f"Invalid payload for trigger: {str(e)}"
+                    )
+                
+                # Check for duplicate registration based on resource data
+                resource_dict = registration_instance.model_dump()
+                existing_registration = await self.database.find_registration_by_resource(
+                    template_id=trigger.id,
+                    resource_data=resource_dict,
+                    user_id=user_id
+                )
+                
+                if existing_registration:
+                    raise HTTPException(
+                        status_code=400,
+                        detail=f"A registration with this configuration already exists for trigger type '{trigger.id}'. Registration ID: {existing_registration.get('id')}"
+                    )
+                
                 # Inject OAuth tokens if needed for registration
                 auth_user = None
                 if trigger.oauth_providers:
@@ -267,19 +290,10 @@ class TriggerServer:
                         raise HTTPException(status_code=500, detail="OAuth authentication failed")
                 
                 
-                # Parse payload into registration model first
-                try:
-                    registration_instance = trigger.registration_model(**payload)
-                except Exception as e:
-                    raise HTTPException(
-                        status_code=400,
-                        detail=f"Invalid payload for trigger: {str(e)}"
-                    )
-                
                 # Call the trigger's registration handler with parsed registration model
                 result = await trigger.registration_handler(registration_instance, auth_user)
-
                 resource_dict = registration_instance.model_dump()
+
                 registration = await self.database.create_trigger_registration(
                     user_id=user_id,
                     template_id=trigger.id,
@@ -423,6 +437,24 @@ class TriggerServer:
     ) -> Dict[str, Any]:
         """Handle an incoming request with a handler function."""
         try:
+            # Step 1: API Key Authentication (required for webhooks)
+            api_key = request.headers.get("x-api-key")
+            if not api_key:
+                logger.warning("Webhook request missing x-api-key header")
+                raise HTTPException(
+                    status_code=401,
+                    detail="Missing x-api-key header"
+                )
+            
+            # Validate API key and get user_id
+            user_id = await self.database.validate_api_key(api_key)
+            if not user_id:
+                logger.warning("Invalid API key provided to webhook")
+                raise HTTPException(
+                    status_code=401,
+                    detail="Invalid API key"
+                )
+            
             # Parse request data
             if request.method == "POST":
                 if request.headers.get("content-type", "").startswith("application/json"):
@@ -434,7 +466,7 @@ class TriggerServer:
             else:
                 payload = dict(request.query_params)
             
-            # Step 1: Registration resolution
+            # Step 2: Registration resolution
             if not trigger.registration_resolver:
                 raise HTTPException(
                     status_code=500,
@@ -444,24 +476,22 @@ class TriggerServer:
             # Extract resource identifiers from webhook payload
             resource_data = await trigger.registration_resolver(payload)
             
-            # Find matching registration
+            # Find matching registration for the authenticated user
             # Convert Pydantic model to dict for database lookup
             resource_dict = resource_data.model_dump()
             registration = await self.database.find_registration_by_resource(
                 trigger.id, 
-                resource_dict
+                resource_dict,
+                user_id
             )
 
             if not registration:
-                logger.warning(f"No registration found for trigger_id={trigger.id} with resource={resource_data}, returning 400")
+                logger.warning(f"No registration found for user {user_id}, trigger_id={trigger.id} with resource={resource_data}")
                 raise HTTPException(
                     status_code=400,
                     detail=f"No registration found for {trigger.id} with resource {resource_data}"
                 )
             
-            # Step 2: Get user_id from registration (webhooks don't use API auth)
-            user_id = registration["user_id"]
-            
             # Step 3: Inject OAuth tokens if needed
             auth_user = None
             if trigger.oauth_providers and self.langchain_auth_client:

{langchain_trigger_server-0.1.6 → langchain_trigger_server-0.1.7}/langchain_triggers/database/interface.py

@@ -61,9 +61,10 @@ class TriggerDatabaseInterface(ABC):
     async def find_registration_by_resource(
         self, 
         template_id: str, 
-        resource_data: Dict[str, Any]
+        resource_data: Dict[str, Any],
+        user_id: str
     ) -> Optional[Dict[str, Any]]:
-        """Find trigger registration by matching resource data."""
+        """Find trigger registration by matching resource data for a specific user."""
         pass
     
     @abstractmethod
@@ -127,4 +128,9 @@ class TriggerDatabaseInterface(ABC):
     @abstractmethod
     async def get_user_by_email(self, email: str) -> Optional[str]:
         """Get user ID by email from trigger registrations."""
+        pass
+
+    @abstractmethod
+    async def validate_api_key(self, api_key: str) -> Optional[str]:
+        """Validate API key and return user_id if valid, None if invalid."""
         pass

{langchain_trigger_server-0.1.6 → langchain_trigger_server-0.1.7}/langchain_triggers/database/supabase.py

@@ -4,6 +4,10 @@ import os
 import logging
 from typing import List, Optional, Dict, Any
 from supabase import create_client, Client
+import base64
+import hashlib
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from cryptography.hazmat.backends import default_backend
 
 from .interface import TriggerDatabaseInterface
 
@@ -21,8 +25,47 @@ class SupabaseTriggerDatabase(TriggerDatabaseInterface):
             raise ValueError("SUPABASE_URL and SUPABASE_KEY environment variables are required")
         
         self.client = create_client(self.supabase_url, self.supabase_key)
+        
+        # Get encryption key for API key decryption - required
+        self.encryption_key = os.getenv("SECRETS_ENCRYPTION_KEY")
+        if not self.encryption_key:
+            raise ValueError("SECRETS_ENCRYPTION_KEY environment variable is required")
+        
         logger.info("Initialized SupabaseTriggerDatabase")
     
+    def _decrypt_secret(self, encrypted_secret: str) -> str:
+        """Decrypt an encrypted secret using AES-256-GCM to match OAP Node.js implementation."""
+        try:
+            # Decode the base64 encoded encrypted data
+            combined = base64.b64decode(encrypted_secret)
+            
+            # Constants from Node.js implementation
+            IV_LENGTH = 12  # 96 bits
+            TAG_LENGTH = 16  # 128 bits
+            
+            # Minimum length check
+            if len(combined) < IV_LENGTH + TAG_LENGTH + 1:
+                raise ValueError("Invalid encrypted secret format: too short or malformed")
+            
+            # Extract IV, encrypted data, and auth tag
+            iv = combined[:IV_LENGTH]
+            tag = combined[-TAG_LENGTH:]
+            encrypted_data = combined[IV_LENGTH:-TAG_LENGTH]
+            
+            # Derive key using SHA-256 hash (same as Node.js deriveKey function)
+            key = hashlib.sha256(self.encryption_key.encode()).digest()
+            
+            # Create AES-GCM cipher
+            cipher = Cipher(algorithms.AES(key), modes.GCM(iv, tag), backend=default_backend())
+            decryptor = cipher.decryptor()
+            
+            # Decrypt the data
+            decrypted_data = decryptor.update(encrypted_data) + decryptor.finalize()
+            
+            return decrypted_data.decode('utf-8')
+        except Exception as e:
+            logger.error(f"Error decrypting secret: {e}")
+            raise ValueError("Failed to decrypt API key")
     
     # ========== Trigger Templates ==========
     
@@ -182,14 +225,15 @@ class SupabaseTriggerDatabase(TriggerDatabaseInterface):
     async def find_registration_by_resource(
         self, 
         template_id: str, 
-        resource_data: Dict[str, Any]
+        resource_data: Dict[str, Any],
+        user_id: str
     ) -> Optional[Dict[str, Any]]:
-        """Find trigger registration by matching resource data."""
+        """Find trigger registration by matching resource data for a specific user."""
         try:
-            # Build query to match against trigger_registrations with template_id filter
+            # Build query to match against trigger_registrations with template_id and user_id filters
             query = self.client.table("trigger_registrations").select(
                 "*, trigger_templates(id, name, description)"
-            ).eq("trigger_templates.id", template_id)
+            ).eq("trigger_templates.id", template_id).eq("user_id", user_id)
             
             # Add resource field matches
             for field, value in resource_data.items():
@@ -300,4 +344,32 @@ class SupabaseTriggerDatabase(TriggerDatabaseInterface):
             
         except Exception as e:
             logger.error(f"Error getting user by email: {e}")
+            return None
+
+    async def validate_api_key(self, api_key: str) -> Optional[str]:
+        """Validate API key and return user_id if valid, None if invalid."""
+        try:
+            # Query all user API keys to find a match
+            response = self.client.table("user_api_keys").select("user_id, key_hash").execute()
+            
+            if not response.data:
+                return None
+            
+            # Check each encrypted key to see if it matches the provided key
+            for row in response.data:
+                try:
+                    decrypted_key = self._decrypt_secret(row["key_hash"])
+                    if decrypted_key == api_key:
+                        logger.info(f"Valid API key authenticated for user: {row['user_id']}")
+                        return row["user_id"]
+                except Exception as e:
+                    # Skip keys that fail to decrypt
+                    logger.debug(f"Failed to decrypt API key: {e}")
+                    continue
+            
+            logger.warning(f"Invalid API key provided")
+            return None
+            
+        except Exception as e:
+            logger.error(f"Error validating API key: {e}")
             return None

{langchain_trigger_server-0.1.6 → langchain_trigger_server-0.1.7}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "langchain-trigger-server"
-version = "0.1.6"
+version = "0.1.7"
 description = "Generic event-driven triggers framework"
 readme = "README.md"
 requires-python = ">=3.9"
@@ -31,6 +31,8 @@ dependencies = [
     "python-multipart>=0.0.6",
     "python-jose[cryptography]>=3.3.0",
     "langgraph-sdk>=0.2.6",
+    "supabase>=2.0.0",
+    "cryptography>=3.0.0",
 ]
 
 [project.optional-dependencies]