fix(auth): Disallow refresh token access to API endpoints

[mpawlow]

Problem

• BUG: Able to successfully invoke the new api/v1/run/session API endpoint using a refresh token

curl --location 'http://9.46.81.78:3000/api/v1/run/session/206831f5-dce8-471d-b4f2-fc54cde4a41a' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <refresh-token>' \
--data '{
   "output_type": "chat",
   "input_type": "chat",
   "input_value": "build a house"
}'

• EXPECTED: Should only be able to invoke the new api/v1/run/session API endpoint using an access token

Work Done

• ✅ Restrict JWT access to all API endpoints to access tokens only
• ✅ Defined constants for access and refresh token types
• ⚠️ There are open questions regarding whether the proposed fix will cause any regressions (see PR comments)
• 🚧 Push this fix to the 1.7.0 branch

Research

---

Summary by CodeRabbit

• Bug Fixes

  • Enhanced token type validation in authentication to ensure proper token classification and validation during user authentication requests.

• Chores

  • Updated internal security baseline configuration with refreshed timestamps and line number adjustments.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Token type validation is refactored by introducing two public constants (ACCESS_TOKEN_TYPE and REFRESH_TOKEN_TYPE) to replace hardcoded strings across JWT token handling. JWT-based current-user retrieval now enforces ACCESS_TOKEN_TYPE validation. The secrets baseline file is reorganized and line numbers updated.

Changes

Cohort / File(s)	Summary
Configuration & Baseline .secrets.baseline	Reorganizes secret entry for src/backend/base/langflow/inputs/input_mixin.py, updates line number reference for src/backend/base/langflow/services/auth/utils.py from 28 to 31, and advances generated_at timestamp to 2025-12-02T04:40:43Z.
Token Type Constants & Validation src/backend/base/langflow/services/auth/utils.py	Introduces REFRESH_TOKEN_TYPE and ACCESS_TOKEN_TYPE constants (Final[str]). Replaces hardcoded token type strings ("access", "refresh") with constants throughout token creation and validation paths. Enforces ACCESS_TOKEN_TYPE in JWT-based current-user retrieval with 401 response on mismatch. Adds Final import.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Straightforward constant introduction and repetitive string replacements
• Validation logic addition is minimal and well-scoped
• Changes follow an established pattern with low semantic complexity

Pre-merge checks and finishing touches

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Test Coverage For New Implementations	❌ Error	The PR introduces security-critical token type validation but contains no test files or test changes to verify the new authorization logic.	Add test cases verifying token type validation, refresh token rejection with 401 status, and access token functionality for API endpoints.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Test File Naming And Structure	⚠️ Warning	Pull request introduces critical security changes to auth token validation but lacks test coverage for the new token type validation logic.	Create test file ./src/backend/tests/unit/services/auth/test_utils.py with tests for token type validation and update existing test in test_security_cors.py.
Test Quality And Coverage	❓ Inconclusive	Unable to access repository test files to assess whether adequate tests exist for the new token type constants and JWT validation logic changes.	Access and review test files to verify coverage for token type validation, access/refresh token differentiation, and JWT validation error paths.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main security fix: enforcing token type validation to prevent refresh tokens from accessing API endpoints.
Excessive Mock Usage Warning	✅ Passed	No test files were modified in this PR, making the excessive mock usage check not applicable.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Frontend Unit Test Coverage Report

Coverage Summary

Lines	Statements	Branches	Functions
	15.43% (4244/27499)	8.61% (1811/21013)	9.69% (587/6057)

Unit Test Results

Tests	Skipped	Failures	Errors	Time
1671	0 💤	0 ❌	0 🔥	21.375s ⏱️

[codecov]

Codecov Report

❌ Patch coverage is 71.42857% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 32.55%. Comparing base (17af7fb) to head (2c304bb).
⚠️ Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
src/backend/base/langflow/services/auth/utils.py	71.42%	2 Missing ⚠️

❌ Your project status has failed because the head coverage (39.99%) is below the target coverage (60.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #10840      +/-   ##
==========================================
- Coverage   32.82%   32.55%   -0.28%     
==========================================
  Files        1367     1370       +3     
  Lines       64017    63523     -494     
  Branches     9553     9391     -162     
==========================================
- Hits        21014    20677     -337     
+ Misses      41943    41806     -137     
+ Partials     1060     1040      -20     

Flag	Coverage Δ
backend	51.55% <71.42%> (-0.40%)	⬇️
lfx	39.99% <ø> (-0.29%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/backend/base/langflow/services/auth/utils.py	58.43% <71.42%> (+1.29%)	⬆️

... and 34 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mpawlow]

CC @Ming Luo (in case this change affects Astra)

[Cristhianzl]

lgtm