⚡️ Speed up function _auth_error_to_http by 18% in PR #10702 (pluggable-auth-service)

.gitignore

@@ -290,3 +290,4 @@ member_servers.json
 # data files used for desktop registration
 data/user
 
+sso-config.yaml

.secrets.baseline

@@ -1353,7 +1353,7 @@
         "filename": "src/backend/tests/unit/test_setup_superuser.py",
         "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
         "is_verified": false,
-        "line_number": 56,
+        "line_number": 60,
         "is_secret": false
       }
     ],

pyproject.toml

@@ -259,6 +259,11 @@ external = ["RUF027"]
 "src/lfx/src/lfx/base/curl/parse.py" = [
     "S105",  # False positive: 'token' variable name, not a password
 ]
+"src/lfx/src/lfx/services/auth/service.py" = [
+    "ARG002",  # No-op impl: unused args required by interface
+    "EM101",  # NotImplementedError messages as literals
+    "TC003",  # Type-only imports used in signatures
+]
 "src/lfx/src/lfx/base/mcp/util.py" = [
     "SLF001",  # MCP library private member access
 ]

src/backend/base/langflow/__main__.py

@@ -32,7 +32,8 @@
 from langflow.cli.progress import create_langflow_progress
 from langflow.initial_setup.setup import get_or_create_default_folder
 from langflow.main import setup_app
-from langflow.services.auth.utils import check_key, get_current_user_by_jwt
+from langflow.services.auth.utils import get_current_user_from_access_token
+from langflow.services.database.models.api_key.crud import check_key
 from langflow.services.deps import get_db_service, get_settings_service, is_settings_service_initialized, session_scope
 from langflow.services.utils import initialize_services
 from langflow.utils.version import fetch_latest_version, get_version_info
@@ -735,7 +736,7 @@ async def _create_superuser(username: str, password: str, auth_token: str | None
                 # Try JWT first
                 user = None
                 try:
-                    user = await get_current_user_by_jwt(auth_token, session)
+                    user = await get_current_user_from_access_token(auth_token, session)
                 except (InvalidTokenError, HTTPException):
                     # Try API key
                     api_key_result = await check_key(session, auth_token)
@@ -756,9 +757,10 @@ async def _create_superuser(username: str, password: str, auth_token: str | None
 
     # Auth complete, create the superuser
     async with session_scope() as session:
-        from langflow.services.auth.utils import create_super_user
+        from langflow.services.deps import get_auth_service
 
-        if await create_super_user(db=session, username=username, password=password):
+        auth = get_auth_service()
+        if await auth.create_super_user(username, password, db=session):
             # Verify that the superuser was created
             from langflow.services.database.models.user.model import User
 

src/backend/base/langflow/api/v1/api_key.py

@@ -67,7 +67,7 @@ async def save_store_api_key(
         api_key = api_key_request.api_key
 
         # Encrypt the API key
-        encrypted = auth_utils.encrypt_api_key(api_key, settings_service=settings_service)
+        encrypted = auth_utils.encrypt_api_key(api_key)
         current_user.store_api_key = encrypted
         db.add(current_user)
         await db.commit()

src/backend/base/langflow/api/v1/endpoints.py

@@ -49,13 +49,12 @@
     api_key_security,
     get_current_active_user,
     get_current_user_for_sse,
-    get_webhook_user,
 )
 from langflow.services.cache.utils import save_uploaded_file
 from langflow.services.database.models.flow.model import Flow, FlowRead
 from langflow.services.database.models.flow.utils import get_all_webhook_components_in_flow
 from langflow.services.database.models.user.model import User, UserRead
-from langflow.services.deps import get_session_service, get_settings_service, get_telemetry_service
+from langflow.services.deps import get_auth_service, get_session_service, get_settings_service, get_telemetry_service
 from langflow.services.event_manager import create_webhook_event_manager, webhook_event_manager
 from langflow.services.telemetry.schema import RunPayload
 from langflow.utils.compression import compress_response
@@ -752,7 +751,7 @@ async def webhook_run_flow(
     error_msg = ""
 
     # Get the appropriate user for webhook execution based on auth settings
-    webhook_user = await get_webhook_user(flow_id_or_name, request)
+    webhook_user = await get_auth_service().get_webhook_user(flow_id_or_name, request)
 
     try:
         data = await request.body()

src/backend/base/langflow/api/v1/login.py

@@ -9,15 +9,9 @@
 from langflow.api.utils import DbSession
 from langflow.api.v1.schemas import Token
 from langflow.initial_setup.setup import get_or_create_default_folder
-from langflow.services.auth.utils import (
-    authenticate_user,
-    create_refresh_token,
-    create_user_longterm_token,
-    create_user_tokens,
-)
 from langflow.services.database.models.user.crud import get_user_by_id
 from langflow.services.database.models.user.model import UserRead
-from langflow.services.deps import get_settings_service, get_variable_service
+from langflow.services.deps import get_auth_service, get_settings_service, get_variable_service
 
 router = APIRouter(tags=["Login"])
 
@@ -38,7 +32,8 @@ async def login_to_get_access_token(
 ):
     auth_settings = get_settings_service().auth_settings
     try:
-        user = await authenticate_user(form_data.username, form_data.password, db)
+        auth = get_auth_service()
+        user = await auth.authenticate_user(form_data.username, form_data.password, db)
     except Exception as exc:
         if isinstance(exc, HTTPException):
             raise
@@ -52,7 +47,7 @@ async def login_to_get_access_token(
         ) from exc
 
     if user:
-        tokens = await create_user_tokens(user_id=user.id, db=db, update_last_login=True)
+        tokens = await auth.create_user_tokens(user_id=user.id, db=db, update_last_login=True)
         response.set_cookie(
             "refresh_token_lf",
             tokens["refresh_token"],
@@ -103,7 +98,8 @@ async def auto_login(response: Response, db: DbSession):
     auth_settings = get_settings_service().auth_settings
 
     if auth_settings.AUTO_LOGIN:
-        user_id, tokens = await create_user_longterm_token(db)
+        auth = get_auth_service()
+        user_id, tokens = await auth.create_user_longterm_token(db)
         response.set_cookie(
             "access_token_lf",
             tokens["access_token"],
@@ -157,7 +153,8 @@ async def refresh_token(
     token = request.cookies.get("refresh_token_lf")
 
     if token:
-        tokens = await create_refresh_token(token, db)
+        auth = get_auth_service()
+        tokens = await auth.create_refresh_token(token, db)
         response.set_cookie(
             "refresh_token_lf",
             tokens["refresh_token"],
@@ -195,7 +192,7 @@ async def get_session(
     It does not raise an error if unauthenticated, allowing the frontend to gracefully
     handle the session state.
     """
-    from langflow.services.auth.utils import get_current_user_by_jwt, oauth2_login
+    from langflow.services.auth.utils import oauth2_login
 
     # Try to get the token from the request (cookie or Authorization header)
     try:
@@ -204,7 +201,7 @@ async def get_session(
             return SessionResponse(authenticated=False)
 
         # Validate the token and get user
-        user = await get_current_user_by_jwt(token, db)
+        user = await get_auth_service().get_current_user_from_access_token(token, db)
         if not user or not user.is_active:
             return SessionResponse(authenticated=False)
 

src/backend/base/langflow/api/v1/mcp.py

@@ -160,7 +160,7 @@ async def handle_messages(request: Request):
 # Streamable HTTP Transport
 ################################################################################
 class StreamableHTTP:
-    def __init__(self):
+    def __init__(self) -> None:
         self.session_manager: StreamableHTTPSessionManager | None = None
         self._started = False
         self._start_stop_lock = asyncio.Lock()

src/backend/base/langflow/api/v1/mcp_projects.py

@@ -62,8 +62,8 @@
     MCPProjectUpdateRequest,
     MCPSettings,
 )
+from langflow.services.auth.constants import AUTO_LOGIN_WARNING
 from langflow.services.auth.mcp_encryption import decrypt_auth_settings, encrypt_auth_settings
-from langflow.services.auth.utils import AUTO_LOGIN_WARNING
 from langflow.services.database.models import Flow, Folder
 from langflow.services.database.models.api_key.crud import check_key, create_api_key
 from langflow.services.database.models.api_key.model import ApiKey, ApiKeyCreate
@@ -135,7 +135,7 @@ async def verify_project_auth(
     # For MCP endpoints, always fall back to username lookup when no API key is provided
     result = await get_user_by_username(db, settings_service.auth_settings.SUPERUSER)
     if result:
-        await logger.awarning(AUTO_LOGIN_WARNING)
+        logger.warning(AUTO_LOGIN_WARNING)
         return result
     raise HTTPException(
         status_code=status.HTTP_403_FORBIDDEN,
@@ -1297,7 +1297,7 @@ class ProjectTaskGroup:
     otherwise Asyncio will raise a RuntimeError.
     """
 
-    def __init__(self):
+    def __init__(self) -> None:
         self._started = False
         self._start_stop_lock = anyio.Lock()
         self._task_group: TaskGroup | None = None

src/backend/base/langflow/api/v1/models.py

@@ -275,7 +275,7 @@ async def _get_disabled_models(session: DbSession, current_user: CurrentActiveUs
         var = await variable_service.get_variable_object(
             user_id=current_user.id, name=DISABLED_MODELS_VAR, session=session
         )
-        if var.value is not None:
+        if var.value:  # This checks for both None and empty string
             try:
                 parsed_value = json.loads(var.value)
                 # Validate it's a list of strings
@@ -306,17 +306,19 @@ async def _get_enabled_models(session: DbSession, current_user: CurrentActiveUse
         var = await variable_service.get_variable_object(
             user_id=current_user.id, name=ENABLED_MODELS_VAR, session=session
         )
-        if var.value is not None:
+        # Strip whitespace and check if value is non-empty
+        if var.value and (value_stripped := var.value.strip()):
             try:
-                parsed_value = json.loads(var.value)
+                parsed_value = json.loads(value_stripped)
                 # Validate it's a list of strings
                 if not isinstance(parsed_value, list):
                     logger.warning("Invalid enabled models format for user %s: not a list", current_user.id)
                     return set()
                 # Ensure all items are strings
                 return {str(item) for item in parsed_value if isinstance(item, str)}
             except (json.JSONDecodeError, TypeError):
-                logger.warning("Failed to parse enabled models for user %s", current_user.id, exc_info=True)
+                # Log at debug level to avoid flooding logs with expected edge cases
+                logger.debug("Failed to parse enabled models for user %s: %s", current_user.id, var.value)
                 return set()
     except ValueError:
         # Variable not found, return empty set

src/backend/base/langflow/api/v1/store.py

@@ -24,7 +24,7 @@ def get_user_store_api_key(user: CurrentActiveUser):
     if not user.store_api_key:
         raise HTTPException(status_code=400, detail="You must have a store API key set.")
     try:
-        return auth_utils.decrypt_api_key(user.store_api_key, get_settings_service())
+        return auth_utils.decrypt_api_key(user.store_api_key)
     except Exception as e:
         raise HTTPException(status_code=500, detail="Failed to decrypt API key. Please set a new one.") from e
 
@@ -33,7 +33,7 @@ def get_optional_user_store_api_key(user: CurrentActiveUser):
     if not user.store_api_key:
         return None
     try:
-        return auth_utils.decrypt_api_key(user.store_api_key, get_settings_service())
+        return auth_utils.decrypt_api_key(user.store_api_key)
     except Exception:  # noqa: BLE001
         logger.exception("Failed to decrypt API key")
         return user.store_api_key

src/backend/base/langflow/api/v1/users.py

@@ -10,14 +10,10 @@
 from langflow.api.utils import CurrentActiveUser, DbSession
 from langflow.api.v1.schemas import UsersResponse
 from langflow.initial_setup.setup import get_or_create_default_folder
-from langflow.services.auth.utils import (
-    get_current_active_superuser,
-    get_password_hash,
-    verify_password,
-)
+from langflow.services.auth.utils import get_current_active_superuser
 from langflow.services.database.models.user.crud import get_user_by_id, update_user
 from langflow.services.database.models.user.model import User, UserCreate, UserRead, UserUpdate
-from langflow.services.deps import get_settings_service
+from langflow.services.deps import get_auth_service, get_settings_service
 
 router = APIRouter(tags=["Users"], prefix="/users")
 
@@ -36,7 +32,7 @@ async def add_user(
 
     new_user = User.model_validate(user, from_attributes=True)
     try:
-        new_user.password = get_password_hash(user.password)
+        new_user.password = get_auth_service().get_password_hash(user.password)
         new_user.is_active = settings_service.auth_settings.NEW_USER_IS_ACTIVE
         session.add(new_user)
         await session.flush()
@@ -96,7 +92,7 @@ async def patch_user(
     if update_password:
         if not user.is_superuser:
             raise HTTPException(status_code=400, detail="You can't change your password here")
-        user_update.password = get_password_hash(user_update.password)
+        user_update.password = get_auth_service().get_password_hash(user_update.password)
 
     if user_db := await get_user_by_id(session, user_id):
         if not update_password:
@@ -114,15 +110,19 @@ async def reset_password(
 ) -> User:
     """Reset a user's password."""
     if user_id != user.id:
-        raise HTTPException(status_code=400, detail="You can't change another user's password")
+        raise HTTPException(status_code=404, detail="You can't change another user's password")
 
     if not user:
         raise HTTPException(status_code=404, detail="User not found")
 
-    if verify_password(user_update.password, user.password):
+    if user_update.password is None:
+        raise HTTPException(status_code=400, detail="Password is required for password reset")
+
+    auth = get_auth_service()
+    if auth.verify_password(user_update.password, user.password):
         raise HTTPException(status_code=400, detail="You can't use your current password")
 
-    new_password = get_password_hash(user_update.password)
+    new_password = auth.get_password_hash(user_update.password)
     user.password = new_password
 
     await session.flush()

src/backend/base/langflow/api/v2/mcp.py

@@ -3,7 +3,7 @@
 from io import BytesIO
 from typing import Annotated
 
-from fastapi import APIRouter, Depends, HTTPException, UploadFile
+from fastapi import APIRouter, Body, Depends, HTTPException, UploadFile
 from lfx.base.agents.utils import safe_cache_get, safe_cache_set
 from lfx.base.mcp.util import update_tools
 
@@ -17,6 +17,7 @@
     get_mcp_file,
     upload_user_file,
 )
+from langflow.api.v2.schemas import MCPServerConfig
 from langflow.logging import logger
 from langflow.services.deps import get_settings_service, get_shared_component_cache_service, get_storage_service
 from langflow.services.settings.service import SettingsService
@@ -163,9 +164,6 @@ async def check_server(server_name: str) -> dict:
 
                 from langflow.services.auth import utils as auth_utils
                 from langflow.services.database.models.variable.model import Variable
-                from langflow.services.deps import get_settings_service
-
-                settings_service = get_settings_service()
 
                 # Load variables directly from database and decrypt ALL types (including CREDENTIAL)
                 stmt = select(Variable).where(Variable.user_id == current_user.id)
@@ -177,9 +175,7 @@ async def check_server(server_name: str) -> dict:
                         # Prior to v1.8, both Generic and Credential variables were encrypted.
                         # As such, must attempt to decrypt both types to ensure backwards-compatibility.
                         try:
-                            decrypted_value = auth_utils.decrypt_api_key(
-                                variable.value, settings_service=settings_service
-                            )
+                            decrypted_value = auth_utils.decrypt_api_key(variable.value)
                             request_variables[variable.name] = decrypted_value
                         except Exception as e:  # noqa: BLE001
                             await logger.aerror(
@@ -324,15 +320,16 @@ async def update_server(
 @router.post("/servers/{server_name}")
 async def add_server(
     server_name: str,
-    server_config: dict,
+    *,
+    server_config: Annotated[MCPServerConfig, Body()],
     current_user: CurrentActiveUser,
     session: DbSession,
     storage_service: Annotated[StorageService, Depends(get_storage_service)],
     settings_service: Annotated[SettingsService, Depends(get_settings_service)],
 ):
     return await update_server(
         server_name,
-        server_config,
+        server_config.model_dump(exclude_unset=True),
         current_user,
         session,
         storage_service,
@@ -344,15 +341,16 @@ async def add_server(
 @router.patch("/servers/{server_name}")
 async def update_server_endpoint(
     server_name: str,
-    server_config: dict,
+    *,
+    server_config: Annotated[MCPServerConfig, Body()],
     current_user: CurrentActiveUser,
     session: DbSession,
     storage_service: Annotated[StorageService, Depends(get_storage_service)],
     settings_service: Annotated[SettingsService, Depends(get_settings_service)],
 ):
     return await update_server(
         server_name,
-        server_config,
+        server_config.model_dump(exclude_unset=True),
         current_user,
         session,
         storage_service,