fix(auth): Disallow refresh token access to API endpoints (release 1.7.0)

[mpawlow]

Related PR

• fix(auth): Disallow refresh token access to API endpoints #10840

Summary by CodeRabbit

• New Features

  • Added enhanced file and document processing with improved parsing capabilities.
  • Improved structured output generation with multiple extraction pathways.

• Improvements

  • Enhanced session management across chat components for better context handling.
  • Upgraded component documentation links and references.
  • Refined data serialization and input validation for robustness.

• Dependencies

  • Updated project dependencies to latest compatible versions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

This PR updates dependencies (cuga and agent-lifecycle-toolkit), adds secrets baseline entries for starter project JSONs, implements a feature-flag guard for an API endpoint, introduces new flow listing helper functions, and extensively updates starter project template files with enhanced ChatInput/ChatOutput logic, session handling, documentation URLs, and version bumps.

Changes

Cohort / File(s)	Summary
Dependency updates pyproject.toml	Updated cuga from ==0.1.10 to ~=0.1.11 and agent-lifecycle-toolkit from ~=0.4.1 to ~=0.4.4
Secrets baseline .secrets.baseline	Added Hex High Entropy String entries for six starter project JSON files (Document Q&A, News Aggregator, Portfolio Website Code Generator, Research Translation Loop, Text Sentiment Analysis, Vector Store RAG)
API feature gating src/backend/base/langflow/api/v1/endpoints.py	Added runtime feature-flag guard to simplified_run_flow_session endpoint; returns HTTP 404 when agentic_experience feature is disabled
Flow helper functions src/backend/base/langflow/helpers/flow.py	Added three new async helpers (list_flows_by_flow_folder, list_flows_by_folder_id, get_flow_by_id_or_name) for querying flows with optional sorting; introduced SORT_DISPATCHER mapping for ASC/DESC operations
Starter project updates (core templates) src/backend/base/langflow/initial_setup/starter_projects/Basic Prompt*.json, Blog Writer.json, Custom Component Generator.json	Updated ChatInput/ChatOutput with session ID fallback logic (self.session_id → graph.session_id → ""), enhanced message response handling, documentation URLs updated to /chat-input-and-output references, FastAPI version bumped to 0.123.0
Starter project updates (document processing) src/backend/base/langflow/initial_setup/starter_projects/Document Q&A.json	Major File component overhaul adding Docling integration with subprocess-based processing, new methods (load_files_dataframe, load_files_markdown, process_files), advanced options (OCR engine, MD placeholders), and updated dependencies (langchain_core, pydantic)
Starter project updates (structured output) src/backend/base/langflow/initial_setup/starter_projects/Financial Report Parser.json, Image Sentiment Analysis.json	Enhanced StructuredOutputComponent with Trustcall-first pathway (fallback to LangChain), new methods (_build_source, _serialize_data, _validate_input, convert_to_string), improved error handling and data extraction
Starter project updates (additional flows) src/backend/base/langflow/initial_setup/starter_projects/Instagram Copywriter.json, Invoice Summarizer.json, Knowledge Ingestion.json, Knowledge Retrieval.json, Meeting Summary.json, Memory Chatbot.json, Price Deal Finder.json, Research Agent.json, Research Translation Loop.json, SEO Keyword Generator.json, SaaS Pricing.json	Consistent updates: session ID handling in ChatInput/ChatOutput, documentation URL standardization, code_hash metadata updates, FastAPI 0.123.0, langchain_cohere dependency bumps, enhanced message response logic and source construction

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Areas requiring extra attention:

• src/backend/base/langflow/helpers/flow.py: New async query functions with SQLAlchemy aliasing and sorting logic; verify error handling for invalid sessions and database edge cases
• Document Q&A.json (File component): Docling subprocess integration is substantial; review IPC/JSON serialization, error propagation from subprocess, path validation, and S3 file handling logic
• Multiple starter project JSONs: Repetitive session ID fallback patterns across 11+ files; verify consistency of session_id derivation (self.session_id → graph.session_id → "") and conditional message storage logic
• StructuredOutputComponent updates: Trustcall-first with LangChain fallback and BaseModel conversion; ensure error handling and output wrapping (Data vs. DataFrame) are robust
• Endpoint feature gating (endpoints.py): Verify the feature flag condition and HTTP 404 response alignment with intended access control

Possibly related PRs

• deps: upgrade altk #10804 — Overlaps on helper function additions to flow.py, .secrets.baseline entries, and starter project JSON modifications; likely part of coordinated feature development
• fix: Clean up some more base templates #8708 — Shares updates to Document Q&A.json and Research Translation Loop.json component logic; related refinements to ChatInput/ChatOutput patterns
• fix: use running event loop to fix asyncio error when calling mcp tools #10806 — Identical helper function additions (list_flows_by_flow_folder, etc.) and .secrets.baseline entries; suggests merged or rebased work

Suggested labels

bug, lgtm

Suggested reviewers

• Adam-Aghili

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch mp_LFOSS-2917_refresh-token-fix_release-1.7.0

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1bb048a and 5b09d60.

⛔ Files ignored due to path filters (2)

• src/frontend/package-lock.json is excluded by !**/package-lock.json
• uv.lock is excluded by !**/*.lock

📒 Files selected for processing (22)

• .secrets.baseline (1 hunks)
• pyproject.toml (1 hunks)
• src/backend/base/langflow/api/v1/endpoints.py (1 hunks)
• src/backend/base/langflow/helpers/flow.py (3 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Basic Prompt Chaining.json (5 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Basic Prompting.json (5 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Blog Writer.json (9 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Custom Component Generator.json (7 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Document Q&A.json (8 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Financial Report Parser.json (9 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Image Sentiment Analysis.json (7 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Instagram Copywriter.json (9 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Invoice Summarizer.json (7 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Knowledge Ingestion.json (5 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Knowledge Retrieval.json (6 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Meeting Summary.json (13 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Memory Chatbot.json (7 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Price Deal Finder.json (7 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Research Agent.json (7 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/Research Translation Loop.json (11 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/SEO Keyword Generator.json (3 hunks)
• src/backend/base/langflow/initial_setup/starter_projects/SaaS Pricing.json (7 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}