LightRAG/lightrag/api/auth.py

import os
from datetime import datetime, timedelta
import jwt
from fastapi import HTTPException, status
from pydantic import BaseModel
from dotenv import load_dotenv

load_dotenv()


class TokenPayload(BaseModel):
    sub: str  # Username
    exp: datetime  # Expiration time
    role: str = "user"  # User role, default is regular user
    metadata: dict = {}  # Additional metadata


class AuthHandler:
    def __init__(self):
        self.secret = os.getenv("TOKEN_SECRET", "4f85ds4f56dsf46")
        self.algorithm = "HS256"
        self.expire_hours = int(os.getenv("TOKEN_EXPIRE_HOURS", 4))
        self.guest_expire_hours = int(os.getenv("GUEST_TOKEN_EXPIRE_HOURS", 2))
        
        self.accounts = {}
        auth_accounts = os.getenv("AUTH_ACCOUNTS")
        if auth_accounts:
            for account in auth_accounts.split(','):
                username, password = account.split(':', 1)
                self.accounts[username] = password

    def create_token(
        self,
        username: str,
        role: str = "user",
        custom_expire_hours: int = None,
        metadata: dict = None,
    ) -> str:
        """
        Create JWT token

        Args:
            username: Username
            role: User role, default is "user", guest is "guest"
            custom_expire_hours: Custom expiration time (hours), if None use default value
            metadata: Additional metadata

        Returns:
            str: Encoded JWT token
        """
        # Choose default expiration time based on role
        if custom_expire_hours is None:
            if role == "guest":
                expire_hours = self.guest_expire_hours
            else:
                expire_hours = self.expire_hours
        else:
            expire_hours = custom_expire_hours

        expire = datetime.utcnow() + timedelta(hours=expire_hours)

        # Create payload
        payload = TokenPayload(
            sub=username, exp=expire, role=role, metadata=metadata or {}
        )

        return jwt.encode(payload.dict(), self.secret, algorithm=self.algorithm)

    def validate_token(self, token: str) -> dict:
        """
        Validate JWT token

        Args:
            token: JWT token

        Returns:
            dict: Dictionary containing user information

        Raises:
            HTTPException: If token is invalid or expired
        """
        try:
            payload = jwt.decode(token, self.secret, algorithms=[self.algorithm])
            expire_timestamp = payload["exp"]
            expire_time = datetime.utcfromtimestamp(expire_timestamp)

            if datetime.utcnow() > expire_time:
                raise HTTPException(
                    status_code=status.HTTP_401_UNAUTHORIZED, detail="Token expired"
                )

            # Return complete payload instead of just username
            return {
                "username": payload["sub"],
                "role": payload.get("role", "user"),
                "metadata": payload.get("metadata", {}),
                "exp": expire_time,
            }
        except jwt.PyJWTError:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token"
            )


auth_handler = AuthHandler()
feat(api): Add user authentication functionality - Implement JWT-based user authentication logic - Add login endpoint and token validation middleware - Update API routes with authentication dependencies - Add authentication-related environment variables - Optimize requirements.txt with necessary dependencies 2025-03-05 11:09:31 +08:00			`import os`
			`from datetime import datetime, timedelta`
			`import jwt`
			`from fastapi import HTTPException, status`
			`from pydantic import BaseModel`
Prioritize OS environment variables over .env file to improve Docker compatibility for the server 2025-03-21 13:27:12 +08:00			`from dotenv import load_dotenv`
feat(api): Add user authentication functionality - Implement JWT-based user authentication logic - Add login endpoint and token validation middleware - Update API routes with authentication dependencies - Add authentication-related environment variables - Optimize requirements.txt with necessary dependencies 2025-03-05 11:09:31 +08:00
Prioritize OS environment variables over .env file to improve Docker compatibility for the server 2025-03-21 13:27:12 +08:00			`load_dotenv()`
feat(api): Add user authentication functionality - Implement JWT-based user authentication logic - Add login endpoint and token validation middleware - Update API routes with authentication dependencies - Add authentication-related environment variables - Optimize requirements.txt with necessary dependencies 2025-03-05 11:09:31 +08:00
Fixlinting 2025-03-21 16:56:47 +08:00
feat(api): Add user authentication functionality - Implement JWT-based user authentication logic - Add login endpoint and token validation middleware - Update API routes with authentication dependencies - Add authentication-related environment variables - Optimize requirements.txt with necessary dependencies 2025-03-05 11:09:31 +08:00			`class TokenPayload(BaseModel):`
feat(auth): implement auto guest mode and enhance token system - Add role-based token system with metadata support - Implement automatic guest mode for unconfigured authentication - Create new /auth-status endpoint for authentication status checking - Modify frontend to auto-detect auth status and bypass login when appropriate - Add guest mode indicator in site header for better UX This change allows users to automatically access the system without manual login when authentication is not configured, while maintaining secure authentication when credentials are properly set up. 2025-03-18 02:56:02 +08:00			`sub: str # Username`
			`exp: datetime # Expiration time`
			`role: str = "user" # User role, default is regular user`
			`metadata: dict = {} # Additional metadata`
feat(api): Add user authentication functionality - Implement JWT-based user authentication logic - Add login endpoint and token validation middleware - Update API routes with authentication dependencies - Add authentication-related environment variables - Optimize requirements.txt with necessary dependencies 2025-03-05 11:09:31 +08:00

			`class AuthHandler:`
			`def __init__(self):`
			`self.secret = os.getenv("TOKEN_SECRET", "4f85ds4f56dsf46")`
			`self.algorithm = "HS256"`
			`self.expire_hours = int(os.getenv("TOKEN_EXPIRE_HOURS", 4))`
feat(auth): Implement multi-user login support - Add an `accounts` dictionary in `AuthHandler` to store multiple user account information. - Modify login logic to support multiple user account verification. - Update environment variable example, add description for `AUTH_ACCOUNTS` variable. - Adjust authentication status check logic, use `auth_handler.accounts` to determine if authentication is configured. 2025-03-24 14:34:31 +08:00			`self.guest_expire_hours = int(os.getenv("GUEST_TOKEN_EXPIRE_HOURS", 2))`

			`self.accounts = {}`
			`auth_accounts = os.getenv("AUTH_ACCOUNTS")`
			`if auth_accounts:`
			`for account in auth_accounts.split(','):`
			`username, password = account.split(':', 1)`
			`self.accounts[username] = password`
feat(api): Add user authentication functionality - Implement JWT-based user authentication logic - Add login endpoint and token validation middleware - Update API routes with authentication dependencies - Add authentication-related environment variables - Optimize requirements.txt with necessary dependencies 2025-03-05 11:09:31 +08:00
Fix linting 2025-03-18 03:30:43 +08:00			`def create_token(`
			`self,`
			`username: str,`
			`role: str = "user",`
			`custom_expire_hours: int = None,`
			`metadata: dict = None,`
			`) -> str:`
feat(auth): implement auto guest mode and enhance token system - Add role-based token system with metadata support - Implement automatic guest mode for unconfigured authentication - Create new /auth-status endpoint for authentication status checking - Modify frontend to auto-detect auth status and bypass login when appropriate - Add guest mode indicator in site header for better UX This change allows users to automatically access the system without manual login when authentication is not configured, while maintaining secure authentication when credentials are properly set up. 2025-03-18 02:56:02 +08:00			`"""`
			`Create JWT token`
Fix linting 2025-03-18 03:30:43 +08:00
feat(auth): implement auto guest mode and enhance token system - Add role-based token system with metadata support - Implement automatic guest mode for unconfigured authentication - Create new /auth-status endpoint for authentication status checking - Modify frontend to auto-detect auth status and bypass login when appropriate - Add guest mode indicator in site header for better UX This change allows users to automatically access the system without manual login when authentication is not configured, while maintaining secure authentication when credentials are properly set up. 2025-03-18 02:56:02 +08:00			`Args:`
			`username: Username`
			`role: User role, default is "user", guest is "guest"`
			`custom_expire_hours: Custom expiration time (hours), if None use default value`
			`metadata: Additional metadata`
Fix linting 2025-03-18 03:30:43 +08:00
feat(auth): implement auto guest mode and enhance token system - Add role-based token system with metadata support - Implement automatic guest mode for unconfigured authentication - Create new /auth-status endpoint for authentication status checking - Modify frontend to auto-detect auth status and bypass login when appropriate - Add guest mode indicator in site header for better UX This change allows users to automatically access the system without manual login when authentication is not configured, while maintaining secure authentication when credentials are properly set up. 2025-03-18 02:56:02 +08:00			`Returns:`
			`str: Encoded JWT token`
			`"""`
			`# Choose default expiration time based on role`
			`if custom_expire_hours is None:`
			`if role == "guest":`
			`expire_hours = self.guest_expire_hours`
			`else:`
			`expire_hours = self.expire_hours`
			`else:`
			`expire_hours = custom_expire_hours`
Fix linting 2025-03-18 03:30:43 +08:00
feat(auth): implement auto guest mode and enhance token system - Add role-based token system with metadata support - Implement automatic guest mode for unconfigured authentication - Create new /auth-status endpoint for authentication status checking - Modify frontend to auto-detect auth status and bypass login when appropriate - Add guest mode indicator in site header for better UX This change allows users to automatically access the system without manual login when authentication is not configured, while maintaining secure authentication when credentials are properly set up. 2025-03-18 02:56:02 +08:00			`expire = datetime.utcnow() + timedelta(hours=expire_hours)`
Fix linting 2025-03-18 03:30:43 +08:00
feat(auth): implement auto guest mode and enhance token system - Add role-based token system with metadata support - Implement automatic guest mode for unconfigured authentication - Create new /auth-status endpoint for authentication status checking - Modify frontend to auto-detect auth status and bypass login when appropriate - Add guest mode indicator in site header for better UX This change allows users to automatically access the system without manual login when authentication is not configured, while maintaining secure authentication when credentials are properly set up. 2025-03-18 02:56:02 +08:00			`# Create payload`
			`payload = TokenPayload(`
Fix linting 2025-03-18 03:30:43 +08:00			`sub=username, exp=expire, role=role, metadata=metadata or {}`
feat(auth): implement auto guest mode and enhance token system - Add role-based token system with metadata support - Implement automatic guest mode for unconfigured authentication - Create new /auth-status endpoint for authentication status checking - Modify frontend to auto-detect auth status and bypass login when appropriate - Add guest mode indicator in site header for better UX This change allows users to automatically access the system without manual login when authentication is not configured, while maintaining secure authentication when credentials are properly set up. 2025-03-18 02:56:02 +08:00			`)`
Fix linting 2025-03-18 03:30:43 +08:00
feat(api): Add user authentication functionality - Implement JWT-based user authentication logic - Add login endpoint and token validation middleware - Update API routes with authentication dependencies - Add authentication-related environment variables - Optimize requirements.txt with necessary dependencies 2025-03-05 11:09:31 +08:00			`return jwt.encode(payload.dict(), self.secret, algorithm=self.algorithm)`

feat(auth): implement auto guest mode and enhance token system - Add role-based token system with metadata support - Implement automatic guest mode for unconfigured authentication - Create new /auth-status endpoint for authentication status checking - Modify frontend to auto-detect auth status and bypass login when appropriate - Add guest mode indicator in site header for better UX This change allows users to automatically access the system without manual login when authentication is not configured, while maintaining secure authentication when credentials are properly set up. 2025-03-18 02:56:02 +08:00			`def validate_token(self, token: str) -> dict:`
			`"""`
			`Validate JWT token`
Fix linting 2025-03-18 03:30:43 +08:00
feat(auth): implement auto guest mode and enhance token system - Add role-based token system with metadata support - Implement automatic guest mode for unconfigured authentication - Create new /auth-status endpoint for authentication status checking - Modify frontend to auto-detect auth status and bypass login when appropriate - Add guest mode indicator in site header for better UX This change allows users to automatically access the system without manual login when authentication is not configured, while maintaining secure authentication when credentials are properly set up. 2025-03-18 02:56:02 +08:00			`Args:`
			`token: JWT token`
Fix linting 2025-03-18 03:30:43 +08:00
feat(auth): implement auto guest mode and enhance token system - Add role-based token system with metadata support - Implement automatic guest mode for unconfigured authentication - Create new /auth-status endpoint for authentication status checking - Modify frontend to auto-detect auth status and bypass login when appropriate - Add guest mode indicator in site header for better UX This change allows users to automatically access the system without manual login when authentication is not configured, while maintaining secure authentication when credentials are properly set up. 2025-03-18 02:56:02 +08:00			`Returns:`
			`dict: Dictionary containing user information`
Fix linting 2025-03-18 03:30:43 +08:00
feat(auth): implement auto guest mode and enhance token system - Add role-based token system with metadata support - Implement automatic guest mode for unconfigured authentication - Create new /auth-status endpoint for authentication status checking - Modify frontend to auto-detect auth status and bypass login when appropriate - Add guest mode indicator in site header for better UX This change allows users to automatically access the system without manual login when authentication is not configured, while maintaining secure authentication when credentials are properly set up. 2025-03-18 02:56:02 +08:00			`Raises:`
			`HTTPException: If token is invalid or expired`
			`"""`
feat(api): Add user authentication functionality - Implement JWT-based user authentication logic - Add login endpoint and token validation middleware - Update API routes with authentication dependencies - Add authentication-related environment variables - Optimize requirements.txt with necessary dependencies 2025-03-05 11:09:31 +08:00			`try:`
			`payload = jwt.decode(token, self.secret, algorithms=[self.algorithm])`
			`expire_timestamp = payload["exp"]`
			`expire_time = datetime.utcfromtimestamp(expire_timestamp)`

			`if datetime.utcnow() > expire_time:`
			`raise HTTPException(`
refactor(api): Fix issues reported by pre-commit - Modified code layout and formatting in multiple files, improving code readability. - Updated import statements, removing unused libraries. - Simplified the writing of some functions and exception handling. 2025-03-06 14:23:52 +08:00			`status_code=status.HTTP_401_UNAUTHORIZED, detail="Token expired"`
feat(api): Add user authentication functionality - Implement JWT-based user authentication logic - Add login endpoint and token validation middleware - Update API routes with authentication dependencies - Add authentication-related environment variables - Optimize requirements.txt with necessary dependencies 2025-03-05 11:09:31 +08:00			`)`
Fix linting 2025-03-18 03:30:43 +08:00
feat(auth): implement auto guest mode and enhance token system - Add role-based token system with metadata support - Implement automatic guest mode for unconfigured authentication - Create new /auth-status endpoint for authentication status checking - Modify frontend to auto-detect auth status and bypass login when appropriate - Add guest mode indicator in site header for better UX This change allows users to automatically access the system without manual login when authentication is not configured, while maintaining secure authentication when credentials are properly set up. 2025-03-18 02:56:02 +08:00			`# Return complete payload instead of just username`
			`return {`
			`"username": payload["sub"],`
			`"role": payload.get("role", "user"),`
			`"metadata": payload.get("metadata", {}),`
Fix linting 2025-03-18 03:30:43 +08:00			`"exp": expire_time,`
feat(auth): implement auto guest mode and enhance token system - Add role-based token system with metadata support - Implement automatic guest mode for unconfigured authentication - Create new /auth-status endpoint for authentication status checking - Modify frontend to auto-detect auth status and bypass login when appropriate - Add guest mode indicator in site header for better UX This change allows users to automatically access the system without manual login when authentication is not configured, while maintaining secure authentication when credentials are properly set up. 2025-03-18 02:56:02 +08:00			`}`
feat(api): Add user authentication functionality - Implement JWT-based user authentication logic - Add login endpoint and token validation middleware - Update API routes with authentication dependencies - Add authentication-related environment variables - Optimize requirements.txt with necessary dependencies 2025-03-05 11:09:31 +08:00			`except jwt.PyJWTError:`
			`raise HTTPException(`
refactor(api): Fix issues reported by pre-commit - Modified code layout and formatting in multiple files, improving code readability. - Updated import statements, removing unused libraries. - Simplified the writing of some functions and exception handling. 2025-03-06 14:23:52 +08:00			`status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token"`
feat(api): Add user authentication functionality - Implement JWT-based user authentication logic - Add login endpoint and token validation middleware - Update API routes with authentication dependencies - Add authentication-related environment variables - Optimize requirements.txt with necessary dependencies 2025-03-05 11:09:31 +08:00			`)`


			`auth_handler = AuthHandler()`