feat(auth): update AUTO_LOGIN authentication to enforce API key or JWT requirement (#8513)

* feat(auth): update AUTO_LOGIN authentication to enforce API key or JWT requirement

* Removed deprecated warning messages and implemented explicit HTTP exceptions for missing API key or JWT in both API and WebSocket authentication methods.
* Enhanced error handling to ensure compliance with the new authentication requirements introduced in v1.5.

* fix(auth): refine error message for AUTO_LOGIN API key requirement

* Updated the error message in the API key security function to clarify that AUTO_LOGIN requires a valid API key, removing the mention of JWT for consistency with the latest authentication requirements.

* feat(auth): introduce SKIP_AUTH_AUTO_LOGIN setting for enhanced authentication flexibility

* Added a new configuration option `SKIP_AUTH_AUTO_LOGIN` to the AuthSettings class, allowing the application to bypass API key validation for auto login.
* Updated the API and WebSocket security functions to utilize this setting, improving error handling and providing a fallback for superuser credentials when authentication is skipped.

* refactor(auth): rename SKIP_AUTH_AUTO_LOGIN to skip_auth_auto_login for consistency

* Updated the `SKIP_AUTH_AUTO_LOGIN` setting in the `AuthSettings` class to `skip_auth_auto_login` to follow Python naming conventions.
* Adjusted references in the API and WebSocket security functions to use the new attribute name, ensuring consistent behavior across the authentication logic.

* feat(auth): add deprecation warning for SKIP_AUTH_AUTO_LOGIN removal

* Introduced a warning log in both API and WebSocket security functions to inform users that the `LANGFLOW_SKIP_AUTH_AUTO_LOGIN` feature will be removed in version 1.6, prompting necessary updates to authentication methods.

* feat(auth): enhance deprecation warnings for AUTO_LOGIN features

* Added constants for deprecation warning and error messages related to `LANGFLOW_SKIP_AUTH_AUTO_LOGIN` and `AUTO_LOGIN` requirements, improving code maintainability and clarity.
* Updated API and WebSocket security functions to utilize these constants for logging and exception handling, ensuring consistent messaging across authentication methods.

* fix(auth): update AUTO_LOGIN_ERROR message to include LANGFLOW_SKIP_AUTH_AUTO_LOGIN usage

* fix(auth): correct logic for API key validation in WebSocket security function

* Adjusted the conditional flow in the `ws_api_key_security` function to ensure that the API key is checked only when necessary, improving the clarity and correctness of the authentication logic.

* [autofix.ci] apply automated fixes

* feat(tests): add authentication token retrieval for starter projects integration tests

* Implemented a helper function to obtain a JWT token for API requests, enhancing the security of the integration tests.
* Updated the test for starter projects to include the token in API requests, ensuring proper authentication during testing.

* feat(auth): add MCP-specific user authentication and active user dependency

* Introduced `get_current_user_mcp` function for MCP-specific user authentication, allowing fallback to username lookup when no API key is provided.
* Added `get_current_active_user_mcp` dependency to manage active user checks for MCP, ensuring proper integration with the authentication flow.

* refactor(api): replace user dependency with CurrentActiveMCPUser in mcp project endpoints

* Updated project-related API endpoints to use CurrentActiveMCPUser for user authentication, enhancing clarity and consistency in user management.
* Removed unused imports and dependencies related to the previous user authentication method, streamlining the codebase.

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

Author: ogabrielluiz

src/backend/base/langflow/api/utils.py

@@ -13,7 +13,7 @@
 from sqlmodel.ext.asyncio.session import AsyncSession
 
 from langflow.graph.graph.base import Graph
-from langflow.services.auth.utils import get_current_active_user
+from langflow.services.auth.utils import get_current_active_user, get_current_active_user_mcp
 from langflow.services.database.models.flow.model import Flow
 from langflow.services.database.models.message.model import MessageTable
 from langflow.services.database.models.transactions.model import TransactionTable
@@ -33,6 +33,7 @@
 MIN_PAGE_SIZE = 1
 
 CurrentActiveUser = Annotated[User, Depends(get_current_active_user)]
+CurrentActiveMCPUser = Annotated[User, Depends(get_current_active_user_mcp)]
 DbSession = Annotated[AsyncSession, Depends(get_session)]
 
 

src/backend/base/langflow/api/v1/mcp.py

@@ -3,27 +3,27 @@
 from collections.abc import Awaitable, Callable
 from contextvars import ContextVar
 from functools import wraps
-from typing import Annotated, Any, ParamSpec, TypeVar
+from typing import Any, ParamSpec, TypeVar
 from urllib.parse import quote, unquote, urlparse
 from uuid import uuid4
 
 import pydantic
 from anyio import BrokenResourceError
-from fastapi import APIRouter, Depends, HTTPException, Request, Response
+from fastapi import APIRouter, HTTPException, Request, Response
 from fastapi.responses import HTMLResponse, StreamingResponse
 from loguru import logger
 from mcp import types
 from mcp.server import NotificationOptions, Server
 from mcp.server.sse import SseServerTransport
 from sqlmodel import select
 
+from langflow.api.utils import CurrentActiveMCPUser
 from langflow.api.v1.endpoints import simple_run_flow
 from langflow.api.v1.schemas import SimplifiedAPIRequest
 from langflow.base.mcp.constants import MAX_MCP_TOOL_NAME_LENGTH
 from langflow.base.mcp.util import get_flow_snake_case
 from langflow.helpers.flow import json_schema_from_flow
 from langflow.schema.message import Message
-from langflow.services.auth.utils import get_current_active_user
 from langflow.services.database.models.flow.model import Flow
 from langflow.services.database.models.user.model import User
 from langflow.services.deps import (
@@ -345,7 +345,7 @@ async def im_alive():
 
 
 @router.get("/sse", response_class=StreamingResponse)
-async def handle_sse(request: Request, current_user: Annotated[User, Depends(get_current_active_user)]):
+async def handle_sse(request: Request, current_user: CurrentActiveMCPUser):
     msg = f"Starting SSE connection, server name: {server.name}"
     logger.info(msg)
     token = current_user_ctx.set(current_user)

src/backend/base/langflow/api/v1/mcp_projects.py

@@ -9,19 +9,19 @@
 from datetime import datetime, timezone
 from ipaddress import ip_address
 from pathlib import Path
-from typing import Annotated
 from urllib.parse import quote, unquote, urlparse
 from uuid import UUID, uuid4
 
 from anyio import BrokenResourceError
-from fastapi import APIRouter, Depends, HTTPException, Request, Response
+from fastapi import APIRouter, HTTPException, Request, Response
 from fastapi.responses import HTMLResponse
 from mcp import types
 from mcp.server import NotificationOptions, Server
 from mcp.server.sse import SseServerTransport
 from sqlalchemy.orm import selectinload
 from sqlmodel import select
 
+from langflow.api.utils import CurrentActiveMCPUser
 from langflow.api.v1.endpoints import simple_run_flow
 from langflow.api.v1.mcp import (
     current_user_ctx,
@@ -34,8 +34,7 @@
 from langflow.base.mcp.util import get_flow_snake_case, get_unique_name
 from langflow.helpers.flow import json_schema_from_flow
 from langflow.schema.message import Message
-from langflow.services.auth.utils import get_current_active_user
-from langflow.services.database.models import Flow, Folder, User
+from langflow.services.database.models import Flow, Folder
 from langflow.services.database.models.folder.constants import DEFAULT_FOLDER_NAME, NEW_FOLDER_NAME
 from langflow.services.deps import get_settings_service, get_storage_service, session_scope
 from langflow.services.storage.utils import build_content_type_from_extension
@@ -62,7 +61,7 @@ def get_project_sse(project_id: UUID) -> SseServerTransport:
 @router.get("/{project_id}")
 async def list_project_tools(
     project_id: UUID,
-    current_user: Annotated[User, Depends(get_current_active_user)],
+    current_user: CurrentActiveMCPUser,
     *,
     mcp_enabled: bool = True,
 ) -> list[MCPSettings]:
@@ -136,7 +135,7 @@ async def im_alive():
 async def handle_project_sse(
     project_id: UUID,
     request: Request,
-    current_user: Annotated[User, Depends(get_current_active_user)],
+    current_user: CurrentActiveMCPUser,
 ):
     """Handle SSE connections for a specific project."""
     # Verify project exists and user has access
@@ -187,9 +186,7 @@ async def handle_project_sse(
 
 
 @router.post("/{project_id}")
-async def handle_project_messages(
-    project_id: UUID, request: Request, current_user: Annotated[User, Depends(get_current_active_user)]
-):
+async def handle_project_messages(project_id: UUID, request: Request, current_user: CurrentActiveMCPUser):
     """Handle POST messages for a project-specific MCP server."""
     # Verify project exists and user has access
     async with session_scope() as session:
@@ -216,9 +213,7 @@ async def handle_project_messages(
 
 
 @router.post("/{project_id}/")
-async def handle_project_messages_with_slash(
-    project_id: UUID, request: Request, current_user: Annotated[User, Depends(get_current_active_user)]
-):
+async def handle_project_messages_with_slash(project_id: UUID, request: Request, current_user: CurrentActiveMCPUser):
     """Handle POST messages for a project-specific MCP server with trailing slash."""
     # Call the original handler
     return await handle_project_messages(project_id, request, current_user)
@@ -228,7 +223,7 @@ async def handle_project_messages_with_slash(
 async def update_project_mcp_settings(
     project_id: UUID,
     settings: list[MCPSettings],
-    current_user: Annotated[User, Depends(get_current_active_user)],
+    current_user: CurrentActiveMCPUser,
 ):
     """Update the MCP settings of all flows in a project."""
     try:
@@ -329,7 +324,7 @@ async def install_mcp_config(
     project_id: UUID,
     body: MCPInstallRequest,
     request: Request,
-    current_user: Annotated[User, Depends(get_current_active_user)],
+    current_user: CurrentActiveMCPUser,
 ):
     """Install MCP server configuration for Cursor or Claude."""
     # Check if the request is coming from a local IP address
@@ -452,7 +447,7 @@ async def install_mcp_config(
 @router.get("/{project_id}/installed")
 async def check_installed_mcp_servers(
     project_id: UUID,
-    current_user: Annotated[User, Depends(get_current_active_user)],
+    current_user: CurrentActiveMCPUser,
 ):
     """Check if MCP server configuration is installed for this project in Cursor or Claude."""
     try:

src/backend/base/langflow/services/auth/utils.py

@@ -31,6 +31,12 @@
 api_key_header = APIKeyHeader(name=API_KEY_NAME, scheme_name="API key header", auto_error=False)
 
 MINIMUM_KEY_LENGTH = 32
+AUTO_LOGIN_WARNING = "In v1.6 LANGFLOW_SKIP_AUTH_AUTO_LOGIN will be removed. Please update your authentication method."
+AUTO_LOGIN_ERROR = (
+    "Since v1.5, LANGFLOW_AUTO_LOGIN requires a valid API key. "
+    "Set LANGFLOW_SKIP_AUTH_AUTO_LOGIN=true to skip this check. "
+    "Please update your authentication method."
+)
 
 
 # Source: https://github.com/mrtolkien/fastapi_simple_security/blob/master/fastapi_simple_security/security_api_key.py
@@ -49,19 +55,16 @@ async def api_key_security(
                     status_code=status.HTTP_400_BAD_REQUEST,
                     detail="Missing first superuser credentials",
                 )
-            warnings.warn(
-                (
-                    "In v1.5, the default behavior of AUTO_LOGIN authentication will change to require a valid API key"
-                    " or JWT. If you integrated with Langflow prior to v1.5, make sure to update your code to pass an "
-                    "API key or JWT when authenticating with protected endpoints."
-                ),
-                DeprecationWarning,
-                stacklevel=2,
-            )
-            if query_param or header_param:
-                result = await check_key(db, query_param or header_param)
-            else:
-                result = await get_user_by_username(db, settings_service.auth_settings.SUPERUSER)
+            if not query_param and not header_param:
+                if settings_service.auth_settings.skip_auth_auto_login:
+                    result = await get_user_by_username(db, settings_service.auth_settings.SUPERUSER)
+                    logger.warning(AUTO_LOGIN_WARNING)
+                else:
+                    raise HTTPException(
+                        status_code=status.HTTP_403_FORBIDDEN,
+                        detail=AUTO_LOGIN_ERROR,
+                    )
+            result = await check_key(db, query_param or header_param)
 
         elif not query_param and not header_param:
             raise HTTPException(
@@ -98,15 +101,17 @@ async def ws_api_key_security(
                     code=status.WS_1011_INTERNAL_ERROR,
                     reason="Missing first superuser credentials",
                 )
-            warnings.warn(
-                ("In v1.5, AUTO_LOGIN will *require* a valid API key or JWT. Please update your clients accordingly."),
-                DeprecationWarning,
-                stacklevel=2,
-            )
-            if api_key:
-                result = await check_key(db, api_key)
+            if not api_key:
+                if settings.auth_settings.skip_auth_auto_login:
+                    result = await get_user_by_username(db, settings.auth_settings.SUPERUSER)
+                    logger.warning(AUTO_LOGIN_WARNING)
+                else:
+                    raise WebSocketException(
+                        code=status.WS_1008_POLICY_VIOLATION,
+                        reason=AUTO_LOGIN_ERROR,
+                    )
             else:
-                result = await get_user_by_username(db, settings.auth_settings.SUPERUSER)
+                result = await check_key(db, api_key)
 
         # normal path: must provide an API key
         else:
@@ -473,3 +478,81 @@ def decrypt_api_key(encrypted_api_key: str, settings_service: SettingsService):
             )
             return fernet.decrypt(encrypted_api_key).decode()
     return ""
+
+
+# MCP-specific authentication functions that always behave as if skip_auth_auto_login is True
+async def get_current_user_mcp(
+    token: Annotated[str, Security(oauth2_login)],
+    query_param: Annotated[str, Security(api_key_query)],
+    header_param: Annotated[str, Security(api_key_header)],
+    db: Annotated[AsyncSession, Depends(get_session)],
+) -> User:
+    """MCP-specific user authentication that always allows fallback to username lookup.
+
+    This function provides authentication for MCP endpoints with special handling:
+    - If a JWT token is provided, it uses standard JWT authentication
+    - If no API key is provided and AUTO_LOGIN is enabled, it falls back to
+      username lookup using the configured superuser credentials
+    - Otherwise, it validates the provided API key (from query param or header)
+    """
+    if token:
+        return await get_current_user_by_jwt(token, db)
+
+    # MCP-specific authentication logic - always behaves as if skip_auth_auto_login is True
+    settings_service = get_settings_service()
+    result: ApiKey | User | None
+
+    if settings_service.auth_settings.AUTO_LOGIN:
+        # Get the first user
+        if not settings_service.auth_settings.SUPERUSER:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Missing first superuser credentials",
+            )
+        if not query_param and not header_param:
+            # For MCP endpoints, always fall back to username lookup when no API key is provided
+            result = await get_user_by_username(db, settings_service.auth_settings.SUPERUSER)
+            if result:
+                logger.warning(AUTO_LOGIN_WARNING)
+                return result
+        else:
+            result = await check_key(db, query_param or header_param)
+
+    elif not query_param and not header_param:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="An API key must be passed as query or header",
+        )
+
+    elif query_param:
+        result = await check_key(db, query_param)
+
+    else:
+        result = await check_key(db, header_param)
+
+    if not result:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Invalid or missing API key",
+        )
+
+    # If result is a User, return it directly
+    if isinstance(result, User):
+        return result
+
+    # If result is an ApiKey, we need to get the associated user
+    # This should not happen in normal flow, but adding for completeness
+    raise HTTPException(
+        status_code=status.HTTP_403_FORBIDDEN,
+        detail="Invalid authentication result",
+    )
+
+
+async def get_current_active_user_mcp(current_user: Annotated[User, Depends(get_current_user_mcp)]):
+    """MCP-specific active user dependency.
+
+    This dependency is temporary and will be removed once MCP is fully integrated.
+    """
+    if not current_user.is_active:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Inactive user")
+    return current_user

src/backend/base/langflow/services/settings/auth.py

@@ -50,6 +50,10 @@ class AuthSettings(BaseSettings):
     COOKIE_DOMAIN: str | None = None
     """The domain attribute of the cookies. If None, the domain is not set."""
 
+    skip_auth_auto_login: bool = True
+    """If True, the application will skip the authentication auto login, set this to False to revert to pre-v1.5
+    behavior. This will be removed in v1.6"""
+
     pwd_context: CryptContext = CryptContext(schemes=["bcrypt"], deprecated="auto")
 
     model_config = SettingsConfigDict(validate_assignment=True, extra="ignore", env_prefix="LANGFLOW_")

src/frontend/tests/core/integrations/starter-projects.spec.ts

@@ -1,11 +1,36 @@
 import { expect, test } from "@playwright/test";
 import { awaitBootstrapTest } from "../../utils/await-bootstrap-test";
 
+// Helper function to get JWT token for API requests
+async function getAuthToken(request: any) {
+  const formData = new URLSearchParams();
+  formData.append("username", "langflow");
+  formData.append("password", "langflow");
+
+  const loginResponse = await request.post("/api/v1/login", {
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+    },
+    data: formData.toString(),
+  });
+
+  expect(loginResponse.status()).toBe(200);
+  const tokenData = await loginResponse.json();
+  return tokenData.access_token;
+}
+
 test(
   "vector store from starter projects should have its connections and nodes on the flow",
   { tag: ["@release", "@starter-projects"] },
   async ({ page, request }) => {
-    const response = await request.get("/api/v1/starter-projects");
+    // Get authentication token
+    const authToken = await getAuthToken(request);
+
+    const response = await request.get("/api/v1/starter-projects", {
+      headers: {
+        Authorization: `Bearer ${authToken}`,
+      },
+    });
     expect(response.status()).toBe(200);
     const responseBody = await response.json();
 
@@ -18,7 +43,13 @@ test(
     await page.route("**/api/v1/flows/", async (route) => {
       if (route.request().method() === "GET") {
         try {
-          const response = await route.fetch();
+          // Add authorization header to the request
+          const headers = route.request().headers();
+          headers["Authorization"] = `Bearer ${authToken}`;
+
+          const response = await route.fetch({
+            headers: headers,
+          });
           const flowsData = await response.json();
 
           const modifiedFlows = flowsData.map((flow) => {