>'hc ddlmZddlZddlZddlmZmZddlmZm Z ejde jZ ejde jZGdd Zejd d ZGd dej"eZejdd ZGddej(eZejdd Zejdd Zejdd Zejdd Zejdd ZGddej(eeeeefZGddee j8e j:e j<e j>e j@fZ!Gddee jDe jFe jHe jJe jLfZ'Gddee jPe jRe jTe jVe jXfZ-Gd d!Z.ejd"ee/e0ejbfZ2Gd#d$Z3 d(d%Z4d)d&Z5gd'Z6y)*) annotationsN)CallableSequence) exceptionstypesTH)boundAHc0eZdZdZdZeZ eZ ddZddZy)Autha Add custom authentication and authorization management to your LangGraph application. The Auth class provides a unified system for handling authentication and authorization in LangGraph applications. It supports custom user authentication protocols and fine-grained authorization rules for different resources and actions. To use, create a separate python file and add the path to the file to your LangGraph API configuration file (`langgraph.json`). Within that file, create an instance of the Auth class and register authentication and authorization handlers as needed. Example `langgraph.json` file: ```json { "dependencies": ["."], "graphs": { "agent": "./my_agent/agent.py:graph" }, "env": ".env", "auth": { "path": "./auth.py:my_auth" } ``` Then the LangGraph server will load your auth file and run it server-side whenever a request comes in. ???+ example "Basic Usage" ```python from langgraph_sdk import Auth my_auth = Auth() async def verify_token(token: str) -> str: # Verify token and return user_id # This would typically be a call to your auth server return "user_id" @auth.authenticate async def authenticate(authorization: str) -> str: # Verify token and return user_id result = await verify_token(authorization) if result != "user_id": raise Auth.exceptions.HTTPException( status_code=401, detail="Unauthorized" ) return result # Global fallback handler @auth.on async def authorize_default(params: Auth.on.value): return False # Reject all requests (default behavior) @auth.on.threads.create async def authorize_thread_create(params: Auth.on.threads.create.value): # Allow the allowed user to create a thread assert params.get("metadata", {}).get("owner") == "allowed_user" @auth.on.store async def authorize_store(ctx: Auth.types.AuthContext, value: Auth.types.on): assert ctx.user.identity in value["namespace"], "Not authorized" ``` ???+ note "Request Processing Flow" 1. Authentication (your `@auth.authenticate` handler) is performed first on **every request** 2. For authorization, the most specific matching handler is called: * If a handler exists for the exact resource and action, it is used (e.g., `@auth.on.threads.create`) * Otherwise, if a handler exists for the resource with any action, it is used (e.g., `@auth.on.threads`) * Finally, if no specific handlers match, the global handler is used (e.g., `@auth.on`) * If no global handler is set, the request is accepted This allows you to set default behavior with a global handler while overriding specific routes as needed. )on _handlers_global_handlers_authenticate_handler_handler_cachec^t||_ i|_g|_d|_i|_yN)_Onr rrrr)selfs b/home/kushmeetdev/Regenta/Chatbot/venv/lib/python3.12/site-packages/langgraph_sdk/auth/__init__.py__init__z Auth.__init__ns6d)= @FH57KO"DFcB|j td||_|S)a Register an authentication handler function. The authentication handler is responsible for verifying credentials and returning user scopes. It can accept any of the following parameters by name: - request (Request): The raw ASGI request object - body (dict): The parsed request body - path (str): The request path, e.g., "/threads/abcd-1234-abcd-1234/runs/abcd-1234-abcd-1234/stream" - method (str): The HTTP method, e.g., "GET" - path_params (dict[str, str]): URL path parameters, e.g., {"thread_id": "abcd-1234-abcd-1234", "run_id": "abcd-1234-abcd-1234"} - query_params (dict[str, str]): URL query parameters, e.g., {"stream": "true"} - headers (dict[bytes, bytes]): Request headers - authorization (str | None): The Authorization header value (e.g., "Bearer ") Args: fn: The authentication handler function to register. Must return a representation of the user. This could be a: - string (the user id) - dict containing {"identity": str, "permissions": list[str]} - or an object with identity and permissions properties Permissions can be optionally used by your handlers downstream. Returns: The registered handler function. Raises: ValueError: If an authentication handler is already registered. ???+ example "Examples" Basic token authentication: ```python @auth.authenticate async def authenticate(authorization: str) -> str: user_id = verify_token(authorization) return user_id ``` Accept the full request context: ```python @auth.authenticate async def authenticate( method: str, path: str, headers: dict[str, bytes] ) -> str: user = await verify_request(method, path, headers) return user ``` Return user name and permissions: ```python @auth.authenticate async def authenticate( method: str, path: str, headers: dict[str, bytes] ) -> Auth.types.MinimalUserDict: permissions, user = await verify_request(method, path, headers) # Permissions could be things like ["runs:read", "runs:write", "threads:read", "threads:write"] return { "identity": user["id"], "permissions": permissions, "display_name": user["name"], } ``` zCAuthentication handler already set as {self._authenticate_handler}.)r ValueErrorrfns r authenticatezAuth.authenticates0H  % % 1U &(" rN)returnNone)rr rr ) __name__ __module__ __qualname____doc__ __slots__rrrrrrr r s6JXI E0 J EGNIrr VT) contravariantc eZdZ ddZy)_ActionHandlerc Kywrr%)rctxvalues r__call__z_ActionHandler.__call__s !sN)r+ztypes.AuthContextr,r&rztypes.HandlerResult)r r!r"r-r%rrr)r)s"'"01" "rr)T) covariantc0eZdZ ddZddZy)_ResourceActionOnc<||_||_||_||_yr)authresourceactionr,)rr3r4r5r,s rrz_ResourceActionOn.__init__s      rctt|t|j|j|j||Sr)_validate_handler_register_handlerr3r4r5rs rr-z_ResourceActionOn.__call__s)"$))T]]DKKD rN) r3r r40typing.Literal['threads', 'crons', 'assistants']r5zLtyping.Literal['create', 'read', 'update', 'delete', 'search', 'create_run']r,ztype[T]rr)r_ActionHandler[T]rr:)r r!r"rr-r%rrr1r1s=  C     rr1VCreateVUpdateVReadVDeleteVSearchceZdZUdZded<ded<ded<ded <d ed <d ed < ddZej ddZejdd ddZ dddd ddZy) _ResourceOnz< Generic base class for resource-specific handlers. z=type[typing.Union[VCreate, VUpdate, VRead, VDelete, VSearch]]r,z type[VCreate]Createz type[VRead]Readz type[VUpdate]Updatez type[VDelete]Deletez type[VSearch]SearchcB||_||_t||d|j|_t||d|j |_t||d|j|_t||d|j|_ t||d|j|_ y)Ncreatereadupdatedeletesearch) r3r4r1rBrHrCrIrDrJrErKrFrL)rr3r4s rrz_ResourceOn.__init__8s    2C (Hdkk3  /@ (FDII/  3D (Hdkk3  3D (Hdkk3  3D (Hdkk3  rcyrr%rs rr-z_ResourceOn.__call__Os SVrNactionscyrr%r resourcesrOs rr-z_ResourceOn.__call__Xs rrRrOc |rt|tjttjt t tttftjjd|S dfd }|S)N*c t|tjttjt t tttftjjd|SNrU r7typingcastr)Unionr;r<r=r>r?r8r3r4)handlerrs r decoratorz'_ResourceOn.__call__..decorator{sP g &;;v||GWeWg,UVW!$))T]]CI r)r\G_ActionHandler[typing.Union[VCreate, VUpdate, VRead, VDelete, VSearch]]rr^rXrrrRrOr]s` rr-z_ResourceOn.__call__csw" > b !;;v||GWeWg,UVW!$))T]]CD   U rr3r r4r9rr)rz|typing.Union[_ActionHandler[typing.Union[VCreate, VUpdate, VRead, VDelete, VSearch]], _ActionHandler[dict[str, typing.Any]]]rr^)rR typing.Union[str, Sequence[str]]rO1typing.Optional[typing.Union[str, Sequence[str]]]rzCallable[[_ActionHandler[typing.Union[VCreate, VUpdate, VRead, VDelete, VSearch]]], _ActionHandler[typing.Union[VCreate, VUpdate, VRead, VDelete, VSearch]]]r)rztyping.Union[_ActionHandler[typing.Union[VCreate, VUpdate, VRead, VDelete, VSearch]], _ActionHandler[dict[str, typing.Any]], None]rR&typing.Union[str, Sequence[str], None]rOrbrztyping.Union[_ActionHandler[typing.Union[VCreate, VUpdate, VRead, VDelete, VSearch]], Callable[[_ActionHandler[typing.Union[VCreate, VUpdate, VRead, VDelete, VSearch]]], _ActionHandler[typing.Union[VCreate, VUpdate, VRead, VDelete, VSearch]]]]) r r!r"r#__annotations__rrYoverloadr-r%rrrArA+s IH       C    . __V V Q VV __ FJ  4 C       #=AEI# #:#C# #rrAceZdZejej ejejejejfZ ej Z ejZ ejZejZejZy) _AssistantsOnN)r r!r"rYr[rAssistantsCreateAssistantsReadAssistantsUpdateAssistantsDeleteAssistantsSearchr,rBrCrDrErFr%rrrgrgs} LL        E # #F   D  # #F  # #F  # #FrrgceZdZejeejeejeejeejeejeejfZ ejZejZejZejZejZejZ dfd ZxZS) _ThreadsOnc`t|||t||d|j|_y)N create_run)superrr1 CreateRunrp)rr3r4 __class__s rrz_ThreadsOn.__init__s. x(?P (L$..@ rr`)r r!r"rYr[typer ThreadsCreate ThreadsRead ThreadsUpdate ThreadsDelete ThreadsSearch RunsCreater,rBrCrDrErFrrr __classcell__)rss@rrnrns LL U ! U   U ! U ! U ! U     E F   D  F  F  F  I  C     rrnceZdZeej ejejejejejfZ ejZ ejZejZejZejZy)_CronsOnN)r r!r"rtrYr[r CronsCreate CronsRead CronsUpdate CronsDelete CronsSearchr,rBrCrDrErFr%rrr}r}s     OO             E  F ??D   F   F   Frr}ceZdZddZej dd ddZej d dZ d dd d dZy) _StoreOnc||_yr)_authrr3s rrz_StoreOn.__init__s  rNrNcyrr%)rrOs rr-z_StoreOn.__call__s #rcyrr%rs rr-z_StoreOn.__call__(+rcX|tjdd||S dfd }|S)aRegister a handler for specific resources and actions. Can be used as a decorator or with explicit resource/action parameters: @auth.on.store async def handler(): ... # Handle all store ops @auth.on.store(actions=("put", "get", "search", "delete")) async def handler(): ... # Handle specific store ops @auth.on.store.put async def handler(): ... # Handle store.put ops Nstorecttrg}n tndg}|D]}tjd|||S)NrUr isinstancestrlistr8r)r\ action_listr5rOrs rr]z$_StoreOn.__call__..decoratorsP'3'&i /6/Bd7m % H!$**gvwG HNrr\AHOrrr8r)rrrOr]s` ` rr-z_StoreOn.__call__s>4 > djj'4 <I    rr3r rr)rOtyping.Optional[typing.Union[typing.Literal['put', 'get', 'search', 'list_namespaces', 'delete'], Sequence[typing.Literal['put', 'get', 'search', 'list_namespaces', 'delete']]]]rCallable[[AHO], AHO]rrrrr)rtyping.Optional[AHO]rOrr'typing.Union[AHO, Callable[[AHO], AHO]])r r!r"rrYrer-r%rrrrs| __  #  #  # # __++$(+ + + + 1+rrrceZdZdZdZd dZejdd d dZejd dZ d ddd dd Zy)raEntry point for authorization handlers that control access to specific resources. The _On class provides a flexible way to define authorization rules for different resources and actions in your application. It supports three main usage patterns: 1. Global handlers that run for all resources and actions 2. Resource-specific handlers that run for all actions on a resource 3. Resource and action specific handlers for fine-grained control Each handler must be an async function that accepts two parameters: - ctx (AuthContext): Contains request context and authenticated user info - value: The data being authorized (type varies by endpoint) The handler should return one of: - None or True: Accept the request - False: Reject with 403 error - FilterType: Apply filtering rules to the response ???+ example "Examples" Global handler for all requests: ```python @auth.on async def log_all_requests(ctx: AuthContext, value: Any) -> None: print(f"Request to {ctx.path} by {ctx.user.identity}") return True ``` Resource-specific handler: ```python @auth.on.threads async def check_thread_access(ctx: AuthContext, value: Any) -> bool: # Allow access only to threads created by the user return value.get("created_by") == ctx.user.identity ``` Resource and action specific handler: ```python @auth.on.threads.delete async def prevent_thread_deletion(ctx: AuthContext, value: Any) -> bool: # Only admins can delete threads return "admin" in ctx.user.permissions ``` Multiple resources or actions: ```python @auth.on(resources=["threads", "runs"], actions=["create", "update"]) async def rate_limit_writes(ctx: AuthContext, value: Any) -> bool: # Implement rate limiting for write operations return await check_rate_limit(ctx.user.identity) ``` )r assistantsthreadsrunscronsrr,c||_t|d|_t|d|_t |d|_t||_tttjf|_ y)Nrrr)rrgrrnrr}rrrdictrrYAnyr,rs rrz _On.__init__csR 'l;!$ 2 dG, d^ #vzz/* rNrNcyrr%rQs rr-z _On.__call__ks #rcyrr%rs rr-z _On.__call__srrrSc\|tjdd||S dfd }|S)aRegister a handler for specific resources and actions. Can be used as a decorator or with explicit resource/action parameters: @auth.on async def handler(): ... # Global handler @auth.on(resources="threads") async def handler(): ... # types.Handler for all thread actions @auth.on(resources="threads", actions="create") async def handler(): ... # types.Handler for thread creation Ncttrg}n tndg}ttrg}n tndg}|D]!}|D]}tj|||#|SrWr)r\ resource_listrr4r5rOrRrs rr]z_On.__call__..decorators)S)!* 3<3HYse '3'&i /6/Bd7m ) M)MF%djj(FGLM MNrrrr_s` `` rr-z _On.__call__vs>( > djj$b 9I    "rr)rRrarOrbrrrr)rrrRrcrOrbrr) r r!r"r#r$rrYrer-r%rrrr#s3jI+ __ FJ #4#C #  ## __++$(+=AEI + +: + C + 1 +rrc0t||xsd}|xsd}|dk(r9|dk(r4|jr td|jj||S||nd}||nd}||f|jvrtd|d|d|g|j||f<|S)NrUzGlobal handler already set.ztypes.Handler already set for z, .)r7rrappendr)r3r4r5rras rr8r8s b3H ]sF36S=  :; ; $$R( I !,H#(Fc q6T^^ #=aS1#QGH H"$1v Irc&tj|std|jdtj|}d|j vrtd|jdd|j vrtd|jdy)zValidates that an auth handler function meets the required signature. Auth handlers must: 1. Be async functions 2. Accept a ctx parameter of type AuthContext 3. Accept a value parameter for the data being authorized zAuth handler 'z|' must be an async function. Add 'async' before 'def' to make it asynchronous and ensure any IO operations are non-blocking.r+zm' must have a 'ctx: AuthContext' parameter. Update the function signature to include this required parameter.r,z' must have a 'value' parameter. The value contains the mutable data being sent to the endpoint.Update the function signature to include this required parameter.N)inspectiscoroutinefunctionrr signature parameters)rsigs rr7r7s  & &r *R[[M*3 3    B C CNN"R[[M*P P  cnn$R[[M*P P  %r)r rr) r3r r4typing.Optional[str]r5rr types.Handlerrr)rzCallable[..., typing.Any]rr)7 __future__rrrYcollections.abcrrlanggraph_sdk.authrrTypeVarHandlerr Authenticatorr r r&Protocolr)r.Genericr1r;r<r=r>r?rArhrirjrkrlrgrurvrwrxryrnr~rrrrr}rrrrrrr8r7__all__r%rrrsj" .0V^^D .V^^D 3 34qqlFNN3d+"V__Q'" FNN3$'q)* &..d 3 &..d 3w$/ &..d 3 &..d 3[&..%'7!JK[|$       $.           F       4@@FfnnU.c6::o1F"GH~~B " !    , : *r