f3fiQb ddlmZddlZddlZddlmZmZddlmZm Z ejde jZ ejde jZGdd Zejd d ZGd dej"eZejdd ZGddej(eZejdd Zejdd Zejdd Zejdd Zejdd ZGddej(eeeeefZGddee j8e j:e j<e j>e j@fZ!Gddee jDe jFe jHe jJe jLfZ'Gddee jPe jRe jTe jVe jXfZ-Gd d!Z.ejd"ee/e0ejbfZ2Gd#d$Z3 d)d%Z4d*d&Z5 d+d'Z6gd(Z7y),) annotationsN)CallableSequence) exceptionstypesTH)boundAHc0eZdZdZdZeZ eZ ddZddZy)Autha Add custom authentication and authorization management to your LangGraph application. The Auth class provides a unified system for handling authentication and authorization in LangGraph applications. It supports custom user authentication protocols and fine-grained authorization rules for different resources and actions. To use, create a separate python file and add the path to the file to your LangGraph API configuration file (`langgraph.json`). Within that file, create an instance of the Auth class and register authentication and authorization handlers as needed. Example `langgraph.json` file: ```json { "dependencies": ["."], "graphs": { "agent": "./my_agent/agent.py:graph" }, "env": ".env", "auth": { "path": "./auth.py:my_auth" } ``` Then the LangGraph server will load your auth file and run it server-side whenever a request comes in. ???+ example "Basic Usage" ```python from langgraph_sdk import Auth my_auth = Auth() async def verify_token(token: str) -> str: # Verify token and return user_id # This would typically be a call to your auth server return "user_id" @auth.authenticate async def authenticate(authorization: str) -> str: # Verify token and return user_id result = await verify_token(authorization) if result != "user_id": raise Auth.exceptions.HTTPException( status_code=401, detail="Unauthorized" ) return result # Global fallback handler @auth.on async def authorize_default(params: Auth.on.value): return False # Reject all requests (default behavior) @auth.on.threads.create async def authorize_thread_create(params: Auth.on.threads.create.value): # Allow the allowed user to create a thread assert params.get("metadata", {}).get("owner") == "allowed_user" @auth.on.store async def authorize_store(ctx: Auth.types.AuthContext, value: Auth.types.on): assert ctx.user.identity in value["namespace"], "Not authorized" ``` ???+ note "Request Processing Flow" 1. Authentication (your `@auth.authenticate` handler) is performed first on **every request** 2. For authorization, the most specific matching handler is called: * If a handler exists for the exact resource and action, it is used (e.g., `@auth.on.threads.create`) * Otherwise, if a handler exists for the resource with any action, it is used (e.g., `@auth.on.threads`) * Finally, if no specific handlers match, the global handler is used (e.g., `@auth.on`) * If no global handler is set, the request is accepted This allows you to set default behavior with a global handler while overriding specific routes as needed. )_authenticate_handler_global_handlers_handler_cache _handlersonc^t||_ i|_g|_d|_i|_yN)_Onrrrr r)selfs Y/var/www/auto_recruiter/arenv/lib/python3.12/site-packages/langgraph_sdk/auth/__init__.py__init__z Auth.__init__ps7d)C LFH57AE"DFc^|jtd|jd||_|S)a Register an authentication handler function. The authentication handler is responsible for verifying credentials and returning user scopes. It can accept any of the following parameters by name: - request (Request): The raw ASGI request object - path (str): The request path, e.g., "/threads/abcd-1234-abcd-1234/runs/abcd-1234-abcd-1234/stream" - method (str): The HTTP method, e.g., "GET" - path_params (dict[str, str]): URL path parameters, e.g., {"thread_id": "abcd-1234-abcd-1234", "run_id": "abcd-1234-abcd-1234"} - query_params (dict[str, str]): URL query parameters, e.g., {"stream": "true"} - headers (dict[bytes, bytes]): Request headers - authorization (str | None): The Authorization header value (e.g., "Bearer ") Args: fn: The authentication handler function to register. Must return a representation of the user. This could be a: - string (the user id) - dict containing {"identity": str, "permissions": list[str]} - or an object with identity and permissions properties Permissions can be optionally used by your handlers downstream. Returns: The registered handler function. Raises: ValueError: If an authentication handler is already registered. ???+ example "Examples" Basic token authentication: ```python @auth.authenticate async def authenticate(authorization: str) -> str: user_id = verify_token(authorization) return user_id ``` Accept the full request context: ```python @auth.authenticate async def authenticate( method: str, path: str, headers: dict[str, bytes] ) -> str: user = await verify_request(method, path, headers) return user ``` Return user name and permissions: ```python @auth.authenticate async def authenticate( method: str, path: str, headers: dict[str, bytes] ) -> Auth.types.MinimalUserDict: permissions, user = await verify_request(method, path, headers) # Permissions could be things like ["runs:read", "runs:write", "threads:read", "threads:write"] return { "identity": user["id"], "permissions": permissions, "display_name": user["name"], } ``` z&Authentication handler already set as .)r ValueErrorrfns r authenticatezAuth.authenticatesAN  % % 189S9S8TTUV &(" rN)returnNone)rr rr ) __name__ __module__ __qualname____doc__ __slots__rrrrrrr r s6L\I E0 J KGZLrr VT) contravariantc eZdZ ddZy)_ActionHandlerc Kywrr&)rctxvalues r__call__z_ActionHandler.__call__s !sN)r,ztypes.AuthContextr-r'rztypes.HandlerResult)r!r"r#r.r&rrr*r*s"'"01" "rr*T) covariantc0eZdZ ddZddZy)_ResourceActionOnc<||_||_||_||_yr)authresourceactionr-)rr4r5r6r-s rrz_ResourceActionOn.__init__s      rctt|t|j|j|j||Sr)_validate_handler_register_handlerr4r5r6rs rr.z_ResourceActionOn.__call__)s)"$))T]]DKKD rN) r4r r50typing.Literal['threads', 'crons', 'assistants']r6zLtyping.Literal['create', 'read', 'update', 'delete', 'search', 'create_run']r-ztype[T]rr )r_ActionHandler[T]rr;)r!r"r#rr.r&rrr2r2s=  C     rr2VCreateVUpdateVReadVDeleteVSearchceZdZUdZded<ded<ded<ded <d ed <d ed < ddZej ddZejdd ddZ dddd ddZy) _ResourceOnz< Generic base class for resource-specific handlers. z3type[VCreate | VUpdate | VRead | VDelete | VSearch]r-z type[VCreate]Createz type[VRead]Readz type[VUpdate]Updatez type[VDelete]Deletez type[VSearch]SearchcB||_||_t||d|j|_t||d|j |_t||d|j|_t||d|j|_ t||d|j|_ y)Ncreatereadupdatedeletesearch) r4r5r2rCrIrDrJrErKrFrLrGrM)rr4r5s rrz_ResourceOn.__init__Cs    2C (Hdkk3  /@ (FDII/  3D (Hdkk3  3D (Hdkk3  3D (Hdkk3  rcyrr&rs rr.z_ResourceOn.__call__Zs ILrNactionscyrr&r resourcesrPs rr.z_ResourceOn.__call__cs rrSrPc |At|tjdtjj d|S dfd }||f}|S)N=_ActionHandler[VCreate | VUpdate | VRead | VDelete | VSearch]*c t|tjdtjj d|S)NrVrWr8typingcastr9r4r5)handlerrs r decoratorz'_ResourceOn.__call__..decorators7 g &;;O!$))T]]CI r)r\rVrrVrY)rrrSrPr]_s` rr.z_ResourceOn.__call__nsc" > b !;;O!$))T]]CD   R  J  w rr4r r5r:rr )rze_ActionHandler[VCreate | VUpdate | VRead | VDelete | VSearch] | _ActionHandler[dict[str, typing.Any]]rrV)rSstr | Sequence[str]rPstr | Sequence[str] | NonerzCallable[[_ActionHandler[VCreate | VUpdate | VRead | VDelete | VSearch]], _ActionHandler[VCreate | VUpdate | VRead | VDelete | VSearch]]r)rzl_ActionHandler[VCreate | VUpdate | VRead | VDelete | VSearch] | _ActionHandler[dict[str, typing.Any]] | NonerSrarPrarz_ActionHandler[VCreate | VUpdate | VRead | VDelete | VSearch] | Callable[[_ActionHandler[VCreate | VUpdate | VRead | VDelete | VSearch]], _ActionHandler[VCreate | VUpdate | VRead | VDelete | VSearch]]) r!r"r#r$__annotations__rrZoverloadr.r&rrrBrB6s ?>       C    . __L 4L G LL __ /3  ' ,       #15.2# #.#,# #rrBceZdZejej zej zejzejzZ ejZ ej Z ej Z ejZ ejZy) _AssistantsOnN)r!r"r#rAssistantsCreateAssistantsReadAssistantsUpdateAssistantsDeleteAssistantsSearchr-rCrDrErFrGr&rrreres        !   !   !  # #F   D  # #F  # #F  # #FrrecVeZdZejej zej zejzejzejzZ ejZ ej Z ej Z ejZejZejZ dfd ZxZS) _ThreadsOnc`t|||t||d|j|_y)N create_run)superrr2 CreateRunrn)rr4r5 __class__s rrz_ThreadsOn.__init__s. x(?P (L$..@ rr_)r!r"r#r ThreadsCreate ThreadsRead ThreadsUpdate ThreadsDelete ThreadsSearch RunsCreater-rCrDrErFrGrpr __classcell__)rqs@rrlrls                         F   D  F  F  F  I  C     rrlc eZdZeej ej zejzejzejzZ ej Z ej Z ejZ ejZejZy)_CronsOnN)r!r"r#typer CronsCreate CronsRead CronsUpdate CronsDelete CronsSearchr-rCrDrErFrGr&rrrzrzs   //               E  F ??D   F   F   FrrzceZdZddZej dd ddZej d dZ d dd d dZy) _StoreOnc||_yr)_authrr4s rrz_StoreOn.__init__s  rNrOcyrr&)rrPs rr.z_StoreOn.__call__s #rcyrr&rs rr.z_StoreOn.__call__(+rcX|tjdd||S dfd }|S)aRegister a handler for specific resources and actions. Can be used as a decorator or with explicit resource/action parameters: @auth.on.store async def handler(): ... # Handle all store ops @auth.on.store(actions=("put", "get", "search", "delete")) async def handler(): ... # Handle specific store ops @auth.on.store.put async def handler(): ... # Handle store.put ops Nstorecttrg}n tndg}|D]}tjd|||S)NrWr isinstancestrlistr9r)r\ action_listr6rPrs rr]z$_StoreOn.__call__..decoratorsP'3'&i /6/Bd7m % H!$**gvwG HNrr\AHOrrr9r)rrrPr]s` ` rr.z_StoreOn.__call__s>2 > djj'4 <I    rr4r rr )rPtyping.Literal['put', 'get', 'search', 'list_namespaces', 'delete'] | Sequence[typing.Literal['put', 'get', 'search', 'list_namespaces', 'delete']] | NonerCallable[[AHO], AHO]rrrrr)r AHO | NonerPrrAHO | Callable[[AHO], AHO])r!r"r#rrZrcr.r&rrrrs| __  #  #  # # __++* * *   * $*rrrceZdZdZdZd dZejdd d dZejd dZ d ddd dd Zy)raEntry point for authorization handlers that control access to specific resources. The _On class provides a flexible way to define authorization rules for different resources and actions in your application. It supports three main usage patterns: 1. Global handlers that run for all resources and actions 2. Resource-specific handlers that run for all actions on a resource 3. Resource and action specific handlers for fine-grained control Each handler must be an async function that accepts two parameters: - ctx (AuthContext): Contains request context and authenticated user info - value: The data being authorized (type varies by endpoint) The handler should return one of: - None or True: Accept the request - False: Reject with 403 error - FilterType: Apply filtering rules to the response ???+ example "Examples" Global handler for all requests: ```python @auth.on async def log_all_requests(ctx: AuthContext, value: Any) -> None: print(f"Request to {ctx.path} by {ctx.user.identity}") return True ``` Resource-specific handler: ```python @auth.on.threads async def check_thread_access(ctx: AuthContext, value: Any) -> bool: # Allow access only to threads created by the user return value.get("created_by") == ctx.user.identity ``` Resource and action specific handler: ```python @auth.on.threads.delete async def prevent_thread_deletion(ctx: AuthContext, value: Any) -> bool: # Only admins can delete threads return "admin" in ctx.user.permissions ``` Multiple resources or actions: ```python @auth.on(resources=["threads", "runs"], actions=["create", "update"]) async def rate_limit_writes(ctx: AuthContext, value: Any) -> bool: # Implement rate limiting for write operations return await check_rate_limit(ctx.user.identity) ``` )r assistantscronsrunsrthreadsr-c||_t|d|_t|d|_t |d|_t||_tttjf|_ y)Nrrr)rrerrlrrzrrrdictrrZAnyr-rs rrz _On.__init__nsR 'l;!$ 2 dG, d^ #vzz/* rNrOcyrr&rRs rr.z _On.__call__vs #rcyrr&rs rr.z _On.__call__~rrrTc\|tjdd||S dfd }|S)aRegister a handler for specific resources and actions. Can be used as a decorator or with explicit resource/action parameters: @auth.on async def handler(): ... # Global handler @auth.on(resources="threads") async def handler(): ... # types.Handler for all thread actions @auth.on(resources="threads", actions="create") async def handler(): ... # types.Handler for thread creation Ncttrg}n tndg}ttrg}n tndg}|D]!}|D]}tj|||#|S)NrWr)r\ resource_listrr5r6rPrSrs rr]z_On.__call__..decorators)S)!* 3<3HYse '3'&i /6/Bd7m ) M)MF%djj(FGLM MNrrr)rrrSrPr]s` `` rr.z _On.__call__s>( > djj$b 9I    "rr)rSr`rPrarrrr)rrrSrarPrarr) r!r"r#r$r%rrZrcr.r&rrrr*s7rI+ __ /3 #'#, #  ## __+++15.2 + +. + , + $ +rrc0t||xsd}|xsd}|dk(r9|dk(r4|jr td|jj||S||nd}||nd}||f|jvrtd|d|d|g|j||f<|S)NrWzGlobal handler already set.ztypes.Handler already set for z, r)r8rrappendr)r4r5r6rras rr9r9s b3H ]sF36S=  :; ; $$R( I !,H#(Fc q6T^^ #=aS1#QGH H"$1v Irc,tj|stdt|d|dtj|}d|j vrtdt|d|dd|j vrtdt|d|dy) zValidates that an auth handler function meets the required signature. Auth handlers must: 1. Be async functions 2. Accept a ctx parameter of type AuthContext 3. Accept a value parameter for the data being authorized zAuth handler 'r!z|' must be an async function. Add 'async' before 'def' to make it asynchronous and ensure any IO operations are non-blocking.r,zm' must have a 'ctx: AuthContext' parameter. Update the function signature to include this required parameter.r-z' must have a 'value' parameter. The value contains the mutable data being sent to the endpoint.Update the function signature to include this required parameter.N)inspectiscoroutinefunctionrgetattr signature parameters)rsigs rr8r8s  & &r *WRR89:3 3    B C CNN"WRR89:P P  cnn$WRR89:P P  %rct|tjxs&t|txr|j ddk(S)Nkind StudioUser)rrrrget)users ris_studio_userrs< 4))* I tT " Gtxx'7<'Gr)r rr) r4r r5 str | Noner6rr types.Handlerrr)rzCallable[..., typing.Any]rr )rz:types.MinimalUser | types.BaseUser | types.MinimalUserDictrbool)8 __future__rrrZcollections.abcrrlanggraph_sdk.authrrTypeVarHandlerr Authenticatorr r r'Protocolr*r/Genericr2r<r=r>r?r@rBrfrgrhrirjrerrrsrtrurvrlr|r}r~rrrzrrrrrrr9r8r__all__r&rrrs}" .0V^^D .V^^D 3 34||BFNN3d+"V__Q'" FNN3$'q)* &..d 3 &..d 3w$/ &..d 3 &..d 3[&..%'7!JK[|$       $.           F       0>>BfnnU.c6::o1F"GHBBJ      , : D  *r