PyPI - langflow-base-nightly - Versions diffs - 0.5.0.dev38__py3-none-any.whl → 0.5.1.dev0__py3-none-any.whl - Mend

langflow-base-nightly 0.5.0.dev38py3-none-any.whl → 0.5.1.dev0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (243) hide show

langflow/api/v1/mcp_projects.py CHANGED Viewed

@@ -8,10 +8,11 @@ from datetime import datetime, timezone
 from ipaddress import ip_address
 from pathlib import Path
 from subprocess import CalledProcessError
+from typing import Annotated, Any
 from uuid import UUID
 from anyio import BrokenResourceError
-from fastapi import APIRouter, HTTPException, Request, Response
+from fastapi import APIRouter, Depends, HTTPException, Request, Response
 from fastapi.responses import HTMLResponse
 from mcp import types
 from mcp.server import NotificationOptions, Server
@@ -28,15 +29,122 @@ from langflow.api.v1.mcp_utils import (
     handle_mcp_errors,
     handle_read_resource,
 )
-from langflow.api.v1.schemas import MCPInstallRequest, MCPProjectResponse, MCPProjectUpdateRequest, MCPSettings
+from langflow.api.v1.schemas import (
+    AuthSettings,
+    MCPInstallRequest,
+    MCPProjectResponse,
+    MCPProjectUpdateRequest,
+    MCPSettings,
+)
 from langflow.base.mcp.constants import MAX_MCP_SERVER_NAME_LENGTH
 from langflow.base.mcp.util import sanitize_mcp_name
 from langflow.logging import logger
+from langflow.services.auth.mcp_encryption import decrypt_auth_settings, encrypt_auth_settings
 from langflow.services.database.models import Flow, Folder
+from langflow.services.database.models.api_key.crud import check_key, create_api_key
+from langflow.services.database.models.api_key.model import ApiKeyCreate
+from langflow.services.database.models.user.model import User
 from langflow.services.deps import get_settings_service, session_scope
+from langflow.services.settings.feature_flags import FEATURE_FLAGS
 router = APIRouter(prefix="/mcp/project", tags=["mcp_projects"])
+async def verify_project_auth(
+    project_id: UUID,
+    query_param: str | None = None,
+    header_param: str | None = None,
+) -> User:
+    """Custom authentication for MCP project endpoints when API key is required.
+    This is only used when MCP composer is enabled and project requires API key auth.
+    """
+    async with session_scope() as session:
+        # First, get the project to check its auth settings
+        project = (await session.exec(select(Folder).where(Folder.id == project_id))).first()
+        if not project:
+            raise HTTPException(status_code=404, detail="Project not found")
+        # For MCP composer enabled, only use API key
+        api_key = query_param or header_param
+        if not api_key:
+            raise HTTPException(
+                status_code=401,
+                detail="API key required for this project. Provide x-api-key header or query parameter.",
+            )
+        # Validate the API key
+        user = await check_key(session, api_key)
+        if not user:
+            raise HTTPException(status_code=401, detail="Invalid API key")
+        # Verify user has access to the project
+        project_access = (
+            await session.exec(select(Folder).where(Folder.id == project_id, Folder.user_id == user.id))
+        ).first()
+        if not project_access:
+            raise HTTPException(status_code=403, detail="Access denied to this project")
+        return user
+# Smart authentication dependency that chooses method based on project settings
+async def verify_project_auth_conditional(
+    project_id: UUID,
+    request: Request,
+) -> User:
+    """Choose authentication method based on project settings.
+    - MCP Composer enabled + API key auth: Only allow API keys
+    - All other cases: Use standard MCP auth (JWT + API keys)
+    """
+    async with session_scope() as session:
+        # Get project to check auth settings
+        project = (await session.exec(select(Folder).where(Folder.id == project_id))).first()
+        if not project:
+            raise HTTPException(status_code=404, detail="Project not found")
+        # Check if this project requires API key only authentication
+        if FEATURE_FLAGS.mcp_composer and project.auth_settings:
+            auth_settings = AuthSettings(**project.auth_settings)
+            if auth_settings.auth_type == "apikey":
+                # For MCP composer projects with API key auth, use custom API key validation
+                api_key_header_value = request.headers.get("x-api-key")
+                api_key_query_value = request.query_params.get("x-api-key")
+                return await verify_project_auth(project_id, api_key_query_value, api_key_header_value)
+        # For all other cases, use standard MCP authentication (allows JWT + API keys)
+        # Extract token
+        token: str | None = None
+        auth_header = request.headers.get("authorization")
+        if auth_header and auth_header.startswith("Bearer "):
+            token = auth_header[7:]
+        # Extract API keys
+        api_key_query_value = request.query_params.get("x-api-key")
+        api_key_header_value = request.headers.get("x-api-key")
+        # Call the MCP auth function directly
+        from langflow.services.auth.utils import get_current_user_mcp
+        user = await get_current_user_mcp(
+            token=token or "", query_param=api_key_query_value, header_param=api_key_header_value, db=session
+        )
+        # Verify project access
+        project_access = (
+            await session.exec(select(Folder).where(Folder.id == project_id, Folder.user_id == user.id))
+        ).first()
+        if not project_access:
+            raise HTTPException(status_code=404, detail="Project not found")
+        return user
 # Create project-specific context variable
 current_project_ctx: ContextVar[UUID | None] = ContextVar("current_project_ctx", default=None)
@@ -98,7 +206,7 @@ async def list_project_tools(
                 )
                 try:
                     tool = MCPSettings(
-                        id=str(flow.id),
+                        id=flow.id,
                         action_name=name,
                         action_description=description,
                         mcp_enabled=flow.mcp_enabled,
@@ -112,12 +220,14 @@ async def list_project_tools(
                     await logger.awarning(msg)
                     continue
-            # Get project-level auth settings
+            # Get project-level auth settings and decrypt sensitive fields
             auth_settings = None
             if project.auth_settings:
                 from langflow.api.v1.schemas import AuthSettings
-                auth_settings = AuthSettings(**project.auth_settings)
+                # Decrypt sensitive fields before returning
+                decrypted_settings = decrypt_auth_settings(project.auth_settings)
+                auth_settings = AuthSettings(**decrypted_settings) if decrypted_settings else None
     except Exception as e:
         msg = f"Error listing project tools: {e!s}"
@@ -136,18 +246,9 @@ async def im_alive(project_id: str):  # noqa: ARG001
 async def handle_project_sse(
     project_id: UUID,
     request: Request,
-    current_user: CurrentActiveMCPUser,
+    current_user: Annotated[User, Depends(verify_project_auth_conditional)],
 ):
     """Handle SSE connections for a specific project."""
-    # Verify project exists and user has access
-    async with session_scope() as session:
-        project = (
-            await session.exec(select(Folder).where(Folder.id == project_id, Folder.user_id == current_user.id))
-        ).first()
-        if not project:
-            raise HTTPException(status_code=404, detail="Project not found")
     # Get project-specific SSE transport and MCP server
     sse = get_project_sse(project_id)
     project_server = get_project_mcp_server(project_id)
@@ -187,17 +288,12 @@ async def handle_project_sse(
 @router.post("/{project_id}")
-async def handle_project_messages(project_id: UUID, request: Request, current_user: CurrentActiveMCPUser):
+async def handle_project_messages(
+    project_id: UUID,
+    request: Request,
+    current_user: Annotated[User, Depends(verify_project_auth_conditional)],
+):
     """Handle POST messages for a project-specific MCP server."""
-    # Verify project exists and user has access
-    async with session_scope() as session:
-        project = (
-            await session.exec(select(Folder).where(Folder.id == project_id, Folder.user_id == current_user.id))
-        ).first()
-        if not project:
-            raise HTTPException(status_code=404, detail="Project not found")
     # Set context variables
     user_token = current_user_ctx.set(current_user)
     project_token = current_project_ctx.set(project_id)
@@ -214,7 +310,11 @@ async def handle_project_messages(project_id: UUID, request: Request, current_us
 @router.post("/{project_id}/")
-async def handle_project_messages_with_slash(project_id: UUID, request: Request, current_user: CurrentActiveMCPUser):
+async def handle_project_messages_with_slash(
+    project_id: UUID,
+    request: Request,
+    current_user: Annotated[User, Depends(verify_project_auth_conditional)],
+):
     """Handle POST messages for a project-specific MCP server with trailing slash."""
     # Call the original handler
     return await handle_project_messages(project_id, request, current_user)
@@ -241,11 +341,33 @@ async def update_project_mcp_settings(
             if not project:
                 raise HTTPException(status_code=404, detail="Project not found")
-            # Update project-level auth settings
-            if request.auth_settings:
-                project.auth_settings = request.auth_settings.model_dump(mode="json")
-            else:
-                project.auth_settings = None
+            # Update project-level auth settings with encryption
+            if "auth_settings" in request.model_fields_set:
+                if request.auth_settings is None:
+                    # Explicitly set to None - clear auth settings
+                    project.auth_settings = None
+                else:
+                    # Use python mode to get raw values without SecretStr masking
+                    auth_model = request.auth_settings
+                    auth_dict = auth_model.model_dump(mode="python", exclude_none=True)
+                    # Extract actual secret values before encryption
+                    from pydantic import SecretStr
+                    # Handle api_key if it's a SecretStr
+                    api_key_val = getattr(auth_model, "api_key", None)
+                    if isinstance(api_key_val, SecretStr):
+                        auth_dict["api_key"] = api_key_val.get_secret_value()
+                    # Handle oauth_client_secret if it's a SecretStr
+                    client_secret_val = getattr(auth_model, "oauth_client_secret", None)
+                    if isinstance(client_secret_val, SecretStr):
+                        auth_dict["oauth_client_secret"] = client_secret_val.get_secret_value()
+                    # Encrypt and store
+                    encrypted_settings = encrypt_auth_settings(auth_dict)
+                    project.auth_settings = encrypted_settings
             session.add(project)
             # Query flows in the project
@@ -340,6 +462,7 @@ async def install_mcp_config(
     if not is_local_ip(client_ip):
         raise HTTPException(status_code=500, detail="MCP configuration can only be installed from a local connection")
+    removed_servers: list[str] = []  # Track removed servers for reinstallation
     try:
         # Verify project exists and user has access
         async with session_scope() as session:
@@ -350,6 +473,28 @@ async def install_mcp_config(
             if not project:
                 raise HTTPException(status_code=404, detail="Project not found")
+            # Check if project requires API key authentication and generate if needed
+            generated_api_key = None
+            # Determine if we need to generate an API key based on feature flag
+            should_generate_api_key = False
+            if not FEATURE_FLAGS.mcp_composer:
+                # When MCP_COMPOSER is disabled, only generate API key if autologin is disabled
+                # (matches frontend !isAutoLogin check)
+                settings_service = get_settings_service()
+                should_generate_api_key = not settings_service.auth_settings.AUTO_LOGIN
+            elif project.auth_settings:
+                # When MCP_COMPOSER is enabled, only generate if auth_type is "apikey"
+                auth_settings = AuthSettings(**project.auth_settings) if project.auth_settings else AuthSettings()
+                should_generate_api_key = auth_settings.auth_type == "apikey"
+            if should_generate_api_key:
+                # Generate API key with specific name format
+                api_key_name = f"MCP Project {project.name} - {body.client}"
+                api_key_create = ApiKeyCreate(name=api_key_name)
+                unmasked_api_key = await create_api_key(session, api_key_create, current_user.id)
+                generated_api_key = unmasked_api_key.api_key
         # Get settings service to build the SSE URL
         settings_service = get_settings_service()
         host = getattr(settings_service.settings, "host", "localhost")
@@ -380,7 +525,7 @@ async def install_mcp_config(
                         stdout=asyncio.subprocess.PIPE,
                         stderr=asyncio.subprocess.PIPE,
                     )
-                    stdout, stderr = await proc.communicate()
+                    stdout, _ = await proc.communicate()
                     if proc.returncode == 0 and stdout.strip():
                         wsl_ip = stdout.decode().strip().split()[0]  # Get first IP address
@@ -389,8 +534,33 @@ async def install_mcp_config(
                         sse_url = sse_url.replace(f"http://{host}:{port}", f"http://{wsl_ip}:{port}")
                 except OSError as e:
                     await logger.awarning("Failed to get WSL IP address: %s. Using default URL.", str(e))
+        # Base args
+        args = ["mcp-composer"] if FEATURE_FLAGS.mcp_composer else ["mcp-proxy"]
+        # Add authentication args based on MCP_COMPOSER feature flag and auth settings
+        if not FEATURE_FLAGS.mcp_composer:
+            # When MCP_COMPOSER is disabled, only use headers format if API key was generated
+            # (when autologin is disabled)
+            if generated_api_key:
+                args.extend(["--headers", "x-api-key", generated_api_key])
+        elif project.auth_settings:
+            # Decrypt sensitive fields before using them
+            decrypted_settings = decrypt_auth_settings(project.auth_settings)
+            auth_settings = AuthSettings(**decrypted_settings) if decrypted_settings else AuthSettings()
+            args.extend(["--auth_type", auth_settings.auth_type])
+            # When MCP_COMPOSER is enabled, only add headers if auth_type is "apikey"
+            auth_settings = AuthSettings(**project.auth_settings)
+            if auth_settings.auth_type == "apikey" and generated_api_key:
+                args.extend(["--headers", "x-api-key", generated_api_key])
+            # If no auth_settings or auth_type is "none", don't add any auth headers
+        # Add the SSE URL
+        if FEATURE_FLAGS.mcp_composer:
+            args.extend(["--sse-url", sse_url])
         else:
-            args = ["mcp-proxy", sse_url]
+            args.append(sse_url)
         if os_type == "Windows":
             command = "cmd"
@@ -400,7 +570,7 @@ async def install_mcp_config(
         name = project.name
         # Create the MCP configuration
-        server_config = {
+        server_config: dict[str, Any] = {
             "command": command,
             "args": args,
         }
@@ -487,9 +657,18 @@ async def install_mcp_config(
                 # If file exists but is invalid JSON, start fresh
                 existing_config = {"mcpServers": {}}
-        # Merge new config with existing config
+        # Ensure mcpServers section exists
         if "mcpServers" not in existing_config:
             existing_config["mcpServers"] = {}
+        # Remove any existing servers with the same SSE URL (for reinstalling)
+        project_sse_url = await get_project_sse_url(project_id)
+        existing_config, removed_servers = remove_server_by_sse_url(existing_config, project_sse_url)
+        if removed_servers:
+            logger.info("Removed existing MCP servers with same SSE URL for reinstall: %s", removed_servers)
+        # Merge new config with existing config
         existing_config["mcpServers"].update(mcp_config["mcpServers"])
         # Write the updated config
@@ -501,7 +680,13 @@ async def install_mcp_config(
         await logger.aexception(msg)
         raise HTTPException(status_code=500, detail=str(e)) from e
     else:
-        message = f"Successfully installed MCP configuration for {body.client}"
+        action = "reinstalled" if removed_servers else "installed"
+        message = f"Successfully {action} MCP configuration for {body.client}"
+        if removed_servers:
+            message += f" (replaced existing servers: {', '.join(removed_servers)})"
+        if generated_api_key:
+            auth_type = "API key" if FEATURE_FLAGS.mcp_composer else "legacy API key"
+            message += f" with {auth_type} authentication (key name: 'MCP Project {project.name} - {body.client}')"
         await logger.ainfo(message)
         return {"message": message}
@@ -522,12 +707,11 @@ async def check_installed_mcp_servers(
             if not project:
                 raise HTTPException(status_code=404, detail="Project not found")
-        # Project server name pattern (must match the logic in install function)
-        name = project.name
-        project_server_name = f"lf-{sanitize_mcp_name(name)[: (MAX_MCP_SERVER_NAME_LENGTH - 4)]}"
+        # Generate the SSE URL for this project
+        project_sse_url = await get_project_sse_url(project_id)
         await logger.adebug(
-            "Checking for installed MCP servers for project: %s (server name: %s)", project.name, project_server_name
+            "Checking for installed MCP servers for project: %s (SSE URL: %s)", project.name, project_sse_url
         )
         # Check configurations for different clients
@@ -542,13 +726,13 @@ async def check_installed_mcp_servers(
             try:
                 with cursor_config_path.open("r") as f:
                     cursor_config = json.load(f)
-                    if "mcpServers" in cursor_config and project_server_name in cursor_config["mcpServers"]:
-                        await logger.adebug("Found Cursor config for project server: %s", project_server_name)
+                    if config_contains_sse_url(cursor_config, project_sse_url):
+                        await logger.adebug("Found Cursor config with matching SSE URL: %s", project_sse_url)
                         results.append("cursor")
                     else:
                         await logger.adebug(
-                            "Cursor config exists but no entry for server: %s (available servers: %s)",
-                            project_server_name,
+                            "Cursor config exists but no server with SSE URL: %s (available servers: %s)",
+                            project_sse_url,
                             list(cursor_config.get("mcpServers", {}).keys()),
                         )
             except json.JSONDecodeError:
@@ -563,13 +747,13 @@ async def check_installed_mcp_servers(
             try:
                 with windsurf_config_path.open("r") as f:
                     windsurf_config = json.load(f)
-                    if "mcpServers" in windsurf_config and project_server_name in windsurf_config["mcpServers"]:
-                        await logger.adebug("Found Windsurf config for project server: %s", project_server_name)
+                    if config_contains_sse_url(windsurf_config, project_sse_url):
+                        await logger.adebug("Found Windsurf config with matching SSE URL: %s", project_sse_url)
                         results.append("windsurf")
                     else:
                         await logger.adebug(
-                            "Windsurf config exists but no entry for server: %s (available servers: %s)",
-                            project_server_name,
+                            "Windsurf config exists but no server with SSE URL: %s (available servers: %s)",
+                            project_sse_url,
                             list(windsurf_config.get("mcpServers", {}).keys()),
                         )
             except json.JSONDecodeError:
@@ -631,13 +815,13 @@ async def check_installed_mcp_servers(
             try:
                 with claude_config_path.open("r") as f:
                     claude_config = json.load(f)
-                    if "mcpServers" in claude_config and project_server_name in claude_config["mcpServers"]:
-                        await logger.adebug("Found Claude config for project server: %s", project_server_name)
+                    if config_contains_sse_url(claude_config, project_sse_url):
+                        await logger.adebug("Found Claude config with matching SSE URL: %s", project_sse_url)
                         results.append("claude")
                     else:
                         await logger.adebug(
-                            "Claude config exists but no entry for server: %s (available servers: %s)",
-                            project_server_name,
+                            "Claude config exists but no server with SSE URL: %s (available servers: %s)",
+                            project_sse_url,
                             list(claude_config.get("mcpServers", {}).keys()),
                         )
             except json.JSONDecodeError:
@@ -652,6 +836,143 @@ async def check_installed_mcp_servers(
     return results
+def config_contains_sse_url(config_data: dict, sse_url: str) -> bool:
+    """Check if any MCP server in the config uses the specified SSE URL."""
+    mcp_servers = config_data.get("mcpServers", {})
+    for server_name, server_config in mcp_servers.items():
+        args = server_config.get("args", [])
+        # The SSE URL is typically the last argument in mcp-proxy configurations
+        if args and args[-1] == sse_url:
+            logger.debug("Found matching SSE URL in server: %s", server_name)
+            return True
+    return False
+async def get_project_sse_url(project_id: UUID) -> str:
+    """Generate the SSE URL for a project, including WSL handling."""
+    # Get settings service to build the SSE URL
+    settings_service = get_settings_service()
+    host = getattr(settings_service.settings, "host", "localhost")
+    port = getattr(settings_service.settings, "port", 3000)
+    base_url = f"http://{host}:{port}".rstrip("/")
+    project_sse_url = f"{base_url}/api/v1/mcp/project/{project_id}/sse"
+    # Handle WSL case - must match the logic in install function
+    os_type = platform.system()
+    is_wsl = os_type == "Linux" and "microsoft" in platform.uname().release.lower()
+    if is_wsl and host in {"localhost", "127.0.0.1"}:
+        try:
+            proc = await create_subprocess_exec(
+                "/usr/bin/hostname",
+                "-I",
+                stdout=asyncio.subprocess.PIPE,
+                stderr=asyncio.subprocess.PIPE,
+            )
+            stdout, stderr = await proc.communicate()
+            if proc.returncode == 0 and stdout.strip():
+                wsl_ip = stdout.decode().strip().split()[0]  # Get first IP address
+                logger.debug("Using WSL IP for external access: %s", wsl_ip)
+                # Replace the localhost with the WSL IP in the URL
+                project_sse_url = project_sse_url.replace(f"http://{host}:{port}", f"http://{wsl_ip}:{port}")
+        except OSError as e:
+            logger.warning("Failed to get WSL IP address: %s. Using default URL.", str(e))
+    return project_sse_url
+async def get_config_path(client: str) -> Path:
+    """Get the configuration file path for a given client and operating system."""
+    os_type = platform.system()
+    is_wsl = os_type == "Linux" and "microsoft" in platform.uname().release.lower()
+    if client.lower() == "cursor":
+        return Path.home() / ".cursor" / "mcp.json"
+    if client.lower() == "windsurf":
+        return Path.home() / ".codeium" / "windsurf" / "mcp_config.json"
+    if client.lower() == "claude":
+        if os_type == "Darwin":  # macOS
+            return Path.home() / "Library" / "Application Support" / "Claude" / "claude_desktop_config.json"
+        if os_type == "Windows" or is_wsl:  # Windows or WSL (Claude runs on Windows host)
+            if is_wsl:
+                # In WSL, we need to access the Windows APPDATA directory
+                try:
+                    # First try to get the Windows username
+                    proc = await create_subprocess_exec(
+                        "/mnt/c/Windows/System32/cmd.exe",
+                        "/c",
+                        "echo %USERNAME%",
+                        stdout=asyncio.subprocess.PIPE,
+                        stderr=asyncio.subprocess.PIPE,
+                    )
+                    stdout, stderr = await proc.communicate()
+                    if proc.returncode == 0 and stdout.strip():
+                        windows_username = stdout.decode().strip()
+                        return Path(
+                            f"/mnt/c/Users/{windows_username}/AppData/Roaming/Claude/claude_desktop_config.json"
+                        )
+                    # Fallback: try to find the Windows user directory
+                    users_dir = Path("/mnt/c/Users")
+                    if users_dir.exists():
+                        # Get the first non-system user directory
+                        user_dirs = [
+                            d
+                            for d in users_dir.iterdir()
+                            if d.is_dir() and not d.name.startswith(("Default", "Public", "All Users"))
+                        ]
+                        if user_dirs:
+                            return user_dirs[0] / "AppData" / "Roaming" / "Claude" / "claude_desktop_config.json"
+                    if not Path("/mnt/c").exists():
+                        msg = "Windows C: drive not mounted at /mnt/c in WSL"
+                        raise ValueError(msg)
+                    msg = "Could not find valid Windows user directory in WSL"
+                    raise ValueError(msg)
+                except (OSError, CalledProcessError) as e:
+                    logger.warning("Failed to determine Windows user path in WSL: %s", str(e))
+                    msg = f"Could not determine Windows Claude config path in WSL: {e!s}"
+                    raise ValueError(msg) from e
+            # Regular Windows
+            return Path(os.environ["APPDATA"]) / "Claude" / "claude_desktop_config.json"
+        msg = "Unsupported operating system for Claude configuration"
+        raise ValueError(msg)
+    msg = "Unsupported client"
+    raise ValueError(msg)
+def remove_server_by_sse_url(config_data: dict, sse_url: str) -> tuple[dict, list[str]]:
+    """Remove any MCP servers that use the specified SSE URL from config data.
+    Returns:
+        tuple: (updated_config, list_of_removed_server_names)
+    """
+    if "mcpServers" not in config_data:
+        return config_data, []
+    removed_servers: list[str] = []
+    servers_to_remove: list[str] = []
+    # Find servers to remove
+    for server_name, server_config in config_data["mcpServers"].items():
+        args = server_config.get("args", [])
+        if args and args[-1] == sse_url:
+            servers_to_remove.append(server_name)
+    # Remove the servers
+    for server_name in servers_to_remove:
+        del config_data["mcpServers"][server_name]
+        removed_servers.append(server_name)
+        logger.debug("Removed existing server with matching SSE URL: %s", server_name)
+    return config_data, removed_servers
 # Project-specific MCP server instance for handling project-specific tools
 class ProjectMCPServer:
     def __init__(self, project_id: UUID):

langflow-base-nightly 0.5.0.dev38__py3-none-any.whl → 0.5.1.dev0__py3-none-any.whl

langflow-base-nightly 0.5.0.dev38py3-none-any.whl → 0.5.1.dev0py3-none-any.whl