Fix: disable mcp sse endpoints astra

[HzaRashid]

cherry pick #11004.

disables mcp sse transport endpoints if langflow is running in an astra cloud environment.

Summary by CodeRabbit

• New Features

  • Added environment-based access controls to MCP endpoints, preventing certain operations in Astra Cloud environments.

• Bug Fixes

  • Enhanced guardrails to ensure incompatible endpoints are blocked in restricted environments.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

This change introduces Astra Cloud environment guards across multiple MCP API endpoints. A new raise_error_if_astra_cloud_env function is created, exported from the public API, and applied as FastAPI dependencies to MCP endpoints in both general and project-specific routes. The underlying validation function is also simplified by removing an unnecessary variable assignment.

Changes

Cohort / File(s)	Summary
Guard utility creation and export src/backend/base/langflow/api/utils/core.py, src/backend/base/langflow/api/utils/__init__.py	Added module-level message constant disable_endpoint_in_astra_cloud_msg and new public function raise_error_if_astra_cloud_env() that wraps raise_error_if_astra_cloud_disable_component. Re-exported from __init__.py to make it available as part of the public API surface.
MCP endpoint guards src/backend/base/langflow/api/v1/mcp.py, src/backend/base/langflow/api/v1/mcp_projects.py	Added raise_error_if_astra_cloud_env as a FastAPI Depends() injection to three MCP endpoints in each file (HEAD and GET /sse, POST / variants). Updated imports to include Depends from FastAPI and the new guard function.
Validation function simplification src/lfx/src/lfx/utils/validate_cloud.py	Simplified the conditional check in raise_error_if_astra_cloud_disable_component by removing the walrus-assigned variable and directly evaluating the environment variable condition. Function signature and behavior unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

• Straightforward dependency injection pattern applied consistently across multiple endpoints
• Verify that dependencies are correctly applied to all three endpoints in each MCP router file
• Confirm the guard function logic and message constant are appropriate

Possibly related PRs

• fix: minor redesign of guardrails for disabling components in LF Astra cloud #10662: Implements similar Astra Cloud guard utilities and validates cloud environment checks across components; this PR extends that pattern to specific API endpoints.

Suggested labels

bug

Suggested reviewers

• jordanrfrazier
• edwinjosechittilappilly
• HimavarshaVS

Pre-merge checks and finishing touches

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 4 warnings)

Check name	Status	Explanation	Resolution
Test Coverage For New Implementations	❌ Error	Pull request adds critical security functionality disabling MCP SSE endpoints in Astra Cloud environments but lacks corresponding test coverage following established codebase patterns.	Add tests using patch.dict(os.environ, {"ASTRA_CLOUD_DISABLE_COMPONENT": "true"}) to verify protected endpoints reject requests, plus complementary tests with disable flag false and unit tests for raise_error_if_astra_cloud_env() function.
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Test Quality And Coverage	⚠️ Warning	Pull request introduces new functionality across multiple files without corresponding test cases for critical cloud environment guard features and FastAPI endpoint modifications.	Add comprehensive tests including unit tests for raise_error_if_astra_cloud_env(), FastAPI integration tests for six modified endpoints, HTTP response code validation, and tests for enabled/disabled scenarios.
Test File Naming And Structure	⚠️ Warning	The pull request introduces environment-gated access control to three critical MCP SSE endpoints via raise_error_if_astra_cloud_env() as a FastAPI dependency, but no test files have been added to validate this functionality.	Add parametrized test cases verifying each modified endpoint returns appropriate error responses when ASTRA_CLOUD_DISABLE_COMPONENT=true and functions normally otherwise, following existing repository test patterns.
Excessive Mock Usage Warning	⚠️ Warning	Test files demonstrate excessive mock usage (27 and 56 mocks) with autouse fixtures mocking internal dependencies rather than testing real behavior.	Refactor tests to minimize mocking of internal helpers; create integration tests verifying actual MCP endpoint behavior with minimal mocking, particularly for the new Astra cloud environment check dependency.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Fix: disable mcp sse endpoints astra' clearly and concisely describes the main change: disabling MCP SSE endpoints in Astra cloud environments, matching the PR's core objective.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 33.09%. Comparing base (07a01ad) to head (3eaff84).
⚠️ Report is 1 commits behind head on main.

❌ Your project status has failed because the head coverage (39.27%) is below the target coverage (60.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #11006      +/-   ##
==========================================
+ Coverage   33.08%   33.09%   +0.01%     
==========================================
  Files        1389     1389              
  Lines       65643    65646       +3     
  Branches     9707     9707              
==========================================
+ Hits        21715    21723       +8     
+ Misses      42816    42811       -5     
  Partials     1112     1112              

Flag	Coverage Δ
backend	52.33% <100.00%> (+0.03%)	⬆️
frontend	15.35% <ø> (ø)
lfx	39.27% <100.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/backend/base/langflow/api/utils/core.py	62.22% <100.00%> (+2.94%)	⬆️
src/backend/base/langflow/api/v1/mcp.py	72.57% <100.00%> (ø)
src/backend/base/langflow/api/v1/mcp_projects.py	41.28% <100.00%> (+0.38%)	⬆️
src/lfx/src/lfx/utils/validate_cloud.py	100.00% <100.00%> (ø)

... and 3 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/backend/base/langflow/api/v1/mcp_projects.py (1)

419-469: Apply Astra Cloud dependency guard to Streamable HTTP endpoints for consistency.

The SSE transport endpoints are disabled in Astra Cloud environments via raise_error_if_astra_cloud_env dependency, but the Streamable HTTP endpoints at lines 419-469 lack this guard. Since both transports serve identical MCP functionality, the same guard should be applied to both. Add dependencies=[Depends(raise_error_if_astra_cloud_env)] to the @router.head() and @router.api_route() decorators for consistency with the SSE pattern at lines 313-326 and the global Streamable HTTP endpoints.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a54e508 and 77e12c6.

📒 Files selected for processing (5)

• src/backend/base/langflow/api/utils/__init__.py (2 hunks)
• src/backend/base/langflow/api/utils/core.py (3 hunks)
• src/backend/base/langflow/api/v1/mcp.py (3 hunks)
• src/backend/base/langflow/api/v1/mcp_projects.py (3 hunks)
• src/lfx/src/lfx/utils/validate_cloud.py (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

src/backend/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/backend_development.mdc)

src/backend/**/*.py: Use FastAPI async patterns with await for async operations in component execution methods
Use asyncio.create_task() for background tasks and implement proper cleanup with try/except for asyncio.CancelledError
Use queue.put_nowait() for non-blocking queue operations and asyncio.wait_for() with timeouts for controlled get operations

Files:

• src/backend/base/langflow/api/utils/__init__.py
• src/backend/base/langflow/api/v1/mcp_projects.py
• src/backend/base/langflow/api/utils/core.py
• src/backend/base/langflow/api/v1/mcp.py

src/backend/base/langflow/api/**/*.py

📄 CodeRabbit inference engine (.cursor/rules/backend_development.mdc)

Backend API endpoints should be organized by version (v1/, v2/) under src/backend/base/langflow/api/ with specific modules for features (chat.py, flows.py, users.py, etc.)

Files:

• src/backend/base/langflow/api/utils/__init__.py
• src/backend/base/langflow/api/v1/mcp_projects.py
• src/backend/base/langflow/api/utils/core.py
• src/backend/base/langflow/api/v1/mcp.py

🧬 Code graph analysis (4)

src/backend/base/langflow/api/utils/__init__.py (1)

src/backend/base/langflow/api/utils/core.py (1)

• raise_error_if_astra_cloud_env (423-425)

src/backend/base/langflow/api/v1/mcp_projects.py (2)

src/backend/base/langflow/api/utils/core.py (2)

• extract_global_variables_from_headers (394-420)
• raise_error_if_astra_cloud_env (423-425)

src/backend/base/langflow/api/v1/mcp.py (1)

• im_alive (94-95)

src/backend/base/langflow/api/utils/core.py (1)

src/lfx/src/lfx/utils/validate_cloud.py (1)

• raise_error_if_astra_cloud_disable_component (10-24)

src/backend/base/langflow/api/v1/mcp.py (1)

src/backend/base/langflow/api/utils/core.py (1)

• raise_error_if_astra_cloud_env (423-425)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 3
• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 2
• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 4
• GitHub Check: Test Docker Images / Test docker images
• GitHub Check: Run Backend Tests / Integration Tests - Python 3.10
• GitHub Check: Lint Backend / Run Mypy (3.11)
• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 5
• GitHub Check: Lint Backend / Run Mypy (3.10)
• GitHub Check: Run Backend Tests / Unit Tests - Python 3.10 - Group 1
• GitHub Check: Lint Backend / Run Mypy (3.12)
• GitHub Check: Run Backend Tests / LFX Tests - Python 3.10
• GitHub Check: Test Starter Templates
• GitHub Check: Optimize new Python code in this PR
• GitHub Check: Update Starter Projects

🔇 Additional comments (8)

src/lfx/src/lfx/utils/validate_cloud.py (1)

23-23: LGTM: Cleaner conditional check.

The refactor removes the unnecessary intermediate variable assignment, making the code more concise while maintaining the same behavior.

src/backend/base/langflow/api/utils/__init__.py (1)

36-36: LGTM: Public API export.

The function is correctly re-exported to make it available through the utils module's public interface.

Also applies to: 74-74

src/backend/base/langflow/api/utils/core.py (1)

44-47: LGTM: Clear error message and simple delegation.

The constant provides a clear message, and the function correctly delegates to the validation utility.

Also applies to: 423-425

src/backend/base/langflow/api/v1/mcp_projects.py (2)

34-38: LGTM: Imports correctly updated.

The necessary imports are added to support the new Astra Cloud environment dependency.

---

312-317: LGTM: SSE endpoints correctly guarded.

The dependency is correctly applied to all SSE transport endpoints (HEAD, GET, and POST routes) to disable them in Astra Cloud environments.

Also applies to: 322-326, 403-404

src/backend/base/langflow/api/v1/mcp.py (3)

5-5: LGTM: Imports correctly updated.

The necessary imports (Depends and raise_error_if_astra_cloud_env) are added to support the FastAPI dependency pattern.

Also applies to: 13-13

---

88-93: LGTM: SSE endpoints correctly guarded.

The Astra Cloud environment dependency is correctly applied to all SSE transport endpoints using FastAPI's dependencies parameter.

Also applies to: 98-102, 147-147

---

258-268: Verify: Should Streamable HTTP endpoints also be disabled?

Similar to the project-specific endpoints, the global Streamable HTTP endpoints (/streamable at lines 258-268) are not guarded with the Astra Cloud dependency, while SSE endpoints are.

Confirm that this is intentional and that Streamable HTTP transport should remain available in Astra Cloud environments even when SSE is disabled.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Verify HTTP error response handling.

The imported raise_error_if_astra_cloud_disable_component raises a ValueError. When used as a FastAPI dependency, uncaught exceptions result in a 500 Internal Server Error response. For a feature availability check in a cloud environment, a more appropriate status code would be 403 Forbidden or 503 Service Unavailable.

Consider wrapping the call in a try-except block to catch ValueError and raise HTTPException with an appropriate status code instead.

 def raise_error_if_astra_cloud_env():
     """Raise an error if we're in an Astra cloud environment."""
-    raise_error_if_astra_cloud_disable_component(disable_endpoint_in_astra_cloud_msg)
+    try:
+        raise_error_if_astra_cloud_disable_component(disable_endpoint_in_astra_cloud_msg)
+    except ValueError as e:
+        from fastapi import HTTPException
+        raise HTTPException(status_code=403, detail=str(e))

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In src/backend/base/langflow/api/utils/core.py around line 14, the dependency
call to raise_error_if_astra_cloud_disable_component currently lets ValueError
bubble up causing a 500; catch ValueError and convert it to a FastAPI
HTTPException with an appropriate status (use status.HTTP_403_FORBIDDEN or
status.HTTP_503_SERVICE_UNAVAILABLE) and a clear detail message. Update the
function to import HTTPException and status from fastapi, wrap the call in
try/except ValueError, and in the except raise
HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=str(err)) (or 503 if
you prefer service-unavailable semantics) so the API returns the correct HTTP
response instead of 500.

[HzaRashid]

note to self: this is good and should be a follow up task

[coderabbitai]

@HzaRashid, sounds good! Would you like me to create a GitHub issue to track this follow-up task for improving the HTTP error response handling in the MCP endpoints?

[github-actions]

Frontend Unit Test Coverage Report

Coverage Summary

Lines	Statements	Branches	Functions
	16.65% (4686/28138)	10.02% (2179/21743)	10.93% (676/6180)

Unit Test Results

Tests	Skipped	Failures	Errors	Time
1829	0 💤	0 ❌	0 🔥	23.11s ⏱️