catch invalidtoken error

langflow-ai · jordanrfrazier · Aug 25, 2025 · Aug 22, 2025 · Aug 22, 2025 · Aug 22, 2025
commit 7cbed8296d99faa7ba404d41b296cae49bc4d0b3
diff --git a/src/backend/base/langflow/services/auth/mcp_encryption.py b/src/backend/base/langflow/services/auth/mcp_encryption.py
@@ -2,6 +2,7 @@
 
 from typing import Any
 
+from cryptography.fernet import InvalidToken
 from loguru import logger
 
 from langflow.services.auth import utils as auth_utils
@@ -38,7 +39,7 @@ def encrypt_auth_settings(auth_settings: dict[str, Any] | None) -> dict[str, Any
                     auth_utils.decrypt_api_key(encrypted_settings[field], settings_service)
                     # If decrypt succeeds, it's already encrypted
                     logger.debug(f"Field {field} is already encrypted")
-                except (ValueError, TypeError, KeyError):
+                except (ValueError, TypeError, KeyError, InvalidToken):
                     # If decrypt fails, the value is plaintext and needs encryption
                     encrypted_value = auth_utils.encrypt_api_key(encrypted_settings[field], settings_service)
                     encrypted_settings[field] = encrypted_value
@@ -71,7 +72,7 @@ def decrypt_auth_settings(auth_settings: dict[str, Any] | None) -> dict[str, Any
                 decrypted_value = auth_utils.decrypt_api_key(decrypted_settings[field], settings_service)
                 decrypted_settings[field] = decrypted_value
                 logger.debug(f"Decrypted field {field}")
-            except (ValueError, TypeError, KeyError) as e:
+            except (ValueError, TypeError, KeyError, InvalidToken) as e:
                 # If decryption fails, assume the value is already plaintext
                 # This handles backward compatibility with existing unencrypted data
                 logger.debug(f"Field {field} appears to be plaintext or decryption failed: {e}")
@@ -96,7 +97,7 @@ def is_encrypted(value: str) -> bool:
     try:
         # Try to decrypt - if it succeeds, it's encrypted
         auth_utils.decrypt_api_key(value, settings_service)
-    except (ValueError, TypeError, KeyError):
+    except (ValueError, TypeError, KeyError, InvalidToken):
         # If decryption fails, it's not encrypted
         return False
     else:

diff --git a/src/backend/tests/unit/services/auth/test_mcp_encryption.py b/src/backend/tests/unit/services/auth/test_mcp_encryption.py
@@ -14,16 +14,19 @@
 @pytest.fixture
 def mock_settings_service():
     """Mock settings service for testing."""
     from cryptography.fernet import Fernet
+    import base64
 
     mock_service = Mock()
-    # Generate a valid Fernet key
-    valid_key = Fernet.generate_key().decode()
-
-    # Create a SecretStr mock
-    secret_key_mock = Mock(spec=SecretStr)
-    secret_key_mock.get_secret_value.return_value = valid_key
-    mock_service.auth_settings.SECRET_KEY = secret_key_mock
+    # Generate a valid Fernet key that's already properly formatted
+    # Fernet.generate_key() returns a URL-safe base64-encoded 32-byte key
+    valid_key = Fernet.generate_key()
+    # Decode it to string for storage
+    valid_key_str = valid_key.decode('utf-8')
+
+    # Create a proper SecretStr object
+    secret_key_obj = SecretStr(valid_key_str)
+    mock_service.auth_settings.SECRET_KEY = secret_key_obj
     return mock_service
 
 
@@ -117,15 +120,15 @@
         mock_get_settings.return_value = mock_settings_service
 
         partial_settings = {
-            "auth_type": "basic",
-            "password": "my-password",
+            "auth_type": "api",
+            "api_key": "sk-test-api-key-123",
             "username": "admin",
         }
 
         encrypted = encrypt_auth_settings(partial_settings)
 
-        # Password should be encrypted
-        assert encrypted["password"] != partial_settings["password"]
+        # API key should be encrypted
+        assert encrypted["api_key"] != partial_settings["api_key"]
 
         # Other fields unchanged
         assert encrypted["auth_type"] == partial_settings["auth_type"]