langchain-ai · mkorpela · Apr 12, 2024 · Apr 4, 2024 · Apr 5, 2024 · Apr 7, 2024
diff --git a/API.md b/API.md
@@ -7,6 +7,9 @@ For full API documentation, see [localhost:8100/docs](localhost:8100/docs) after
 
 If you want to see the API docs before deployment, check out the [hosted docs here](https://opengpts-example-vz4y4ooboq-uc.a.run.app/docs).
 
+In the examples below, cookies are used as a mock auth method. For production, we recommend using JWT auth. Refer to the [auth guide for production](auth.md) for more information.
+When using JWT auth, you will need to include the JWT in the `Authorization` header as a Bearer token.
+
 ## Create an Assistant
 
 First, let's use the API to create an assistant. 
@@ -20,7 +23,7 @@ requests.post('http://127.0.0.1:8100/assistants', json={
   "public": True
 }, cookies= {"opengpts_user_id": "foo"}).content
 ```
-This is creating an assistant with name `"bar"`, with default configuration, that is public, and is associated with user `"foo"` (we are using cookies as a mock auth method).
+This is creating an assistant with name `"bar"`, with default configuration, that is public, and is associated with user `"foo"`.
 
 This should return something like:
 

diff --git a/README.md b/README.md
@@ -31,6 +31,7 @@ Because this is open source, if you do not like those architectures or want to m
 
 - [GPTs: a simple hosted version](https://opengpts-example-vz4y4ooboq-uc.a.run.app/)
 - [Assistants API: a getting started guide](API.md)
+- [Auth: a guide for production](auth.md)
 
 ## Quickstart with Docker
 

diff --git a/auth.md b/auth.md
@@ -0,0 +1,51 @@
+# Auth
+
+By default, we're using cookies as a mock auth method. It's for trying out OpenGPTs.
+For production, we recommend using JWT auth, outlined below.
+
+## JWT Auth: Options
+
+There are two ways to use JWT: Local and OIDC. The main difference is in how the key
+used to decode the JWT is obtained. For the Local method, you'll provide the decode
+key as a Base64-encoded string in an environment variable. For the OIDC method, the
+key is obtained from the OIDC provider automatically.
+
+### JWT OIDC
+
+If you're looking to integrate with an identity provider, OIDC is the way to go.
+It will figure out the decode key for you, so you don't have to worry about it.
+Just set `AUTH_TYPE=jwt_oidc` along with the issuer and audience. Audience can
+be one or many - just separate them with commas.
+
+```bash
+export AUTH_TYPE=jwt_oidc
+export JWT_ISS=<issuer>
+export JWT_AUD=<audience>  # or <audience1>,<audience2>,...
+```
+
+### JWT Local
+
+To use JWT Local, set `AUTH_TYPE=jwt_local`. Then, set the issuer, audience,
+algorithm used to sign the JWT, and the decode key in Base64 format.
+
+```bash
+export AUTH_TYPE=jwt_local
+export JWT_ISS=<issuer>
+export JWT_AUD=<audience>
+export JWT_ALG=<algorithm>  # e.g. ES256
+export JWT_DECODE_KEY_B64=<base64_decode_key>
+```
+
+Base64 is used for the decode key because handling multiline strings in environment
+variables is error-prone. Base64 makes it a one-liner, easy to paste in and use.
+
+
+## Making Requests
+
+To make authenticated requests, include the JWT in the `Authorization` header as a Bearer token:
+
+```
+Authorization: Bearer <JWT>
+```
+
+
diff --git a/backend/app/api/assistants.py b/backend/app/api/assistants.py
@@ -5,7 +5,8 @@
 from pydantic import BaseModel, Field
 
 import app.storage as storage
-from app.schema import Assistant, OpengptsUserId
+from app.auth.handlers import AuthedUser
+from app.schema import Assistant
 
 router = APIRouter()
 
@@ -24,9 +25,9 @@ class AssistantPayload(BaseModel):
 
 
 @router.get("/")
-async def list_assistants(opengpts_user_id: OpengptsUserId) -> List[Assistant]:
+async def list_assistants(user: AuthedUser) -> List[Assistant]:
     """List all assistants for the current user."""
-    return await storage.list_assistants(opengpts_user_id)
+    return await storage.list_assistants(user["user_id"])
 
 
 @router.get("/public/")
@@ -43,24 +44,24 @@ async def list_public_assistants(
 
 @router.get("/{aid}")
 async def get_assistant(
-    opengpts_user_id: OpengptsUserId,
+    user: AuthedUser,
     aid: AssistantID,
 ) -> Assistant:
     """Get an assistant by ID."""
-    assistant = await storage.get_assistant(opengpts_user_id, aid)
+    assistant = await storage.get_assistant(user["user_id"], aid)
     if not assistant:
         raise HTTPException(status_code=404, detail="Assistant not found")
     return assistant
 
 
 @router.post("")
 async def create_assistant(
-    opengpts_user_id: OpengptsUserId,
+    user: AuthedUser,
     payload: AssistantPayload,
 ) -> Assistant:
     """Create an assistant."""
     return await storage.put_assistant(
-        opengpts_user_id,
+        user["user_id"],
         str(uuid4()),
         name=payload.name,
         config=payload.config,
@@ -70,13 +71,13 @@ async def create_assistant(
 
 @router.put("/{aid}")
 async def upsert_assistant(
-    opengpts_user_id: OpengptsUserId,
+    user: AuthedUser,
     aid: AssistantID,
     payload: AssistantPayload,
 ) -> Assistant:
     """Create or update an assistant."""
     return await storage.put_assistant(
-        opengpts_user_id,
+        user["user_id"],
         aid,
         name=payload.name,
         config=payload.config,

diff --git a/backend/app/api/runs.py b/backend/app/api/runs.py
@@ -13,7 +13,7 @@
 from sse_starlette import EventSourceResponse
 
 from app.agent import agent
-from app.schema import OpengptsUserId
+from app.auth.handlers import AuthedUser
 from app.storage import get_assistant, get_thread
 from app.stream import astream_messages, to_sse
 
@@ -30,14 +30,12 @@ class CreateRunPayload(BaseModel):
     config: Optional[RunnableConfig] = None
 
 
-async def _run_input_and_config(
-    payload: CreateRunPayload, opengpts_user_id: OpengptsUserId
-):
-    thread = await get_thread(opengpts_user_id, payload.thread_id)
+async def _run_input_and_config(payload: CreateRunPayload, user_id: str):
+    thread = await get_thread(user_id, payload.thread_id)
     if not thread:
         raise HTTPException(status_code=404, detail="Thread not found")
 
-    assistant = await get_assistant(opengpts_user_id, str(thread["assistant_id"]))
+    assistant = await get_assistant(user_id, str(thread["assistant_id"]))
     if not assistant:
         raise HTTPException(status_code=404, detail="Assistant not found")
 
@@ -46,7 +44,7 @@ async def _run_input_and_config(
         "configurable": {
             **assistant["config"]["configurable"],
             **((payload.config or {}).get("configurable") or {}),
-            "user_id": opengpts_user_id,
+            "user_id": user_id,
             "thread_id": str(thread["thread_id"]),
             "assistant_id": str(assistant["assistant_id"]),
         },
@@ -67,22 +65,22 @@ async def _run_input_and_config(
 @router.post("")
 async def create_run(
     payload: CreateRunPayload,
-    opengpts_user_id: OpengptsUserId,
+    user: AuthedUser,
     background_tasks: BackgroundTasks,
 ):
     """Create a run."""
-    input_, config = await _run_input_and_config(payload, opengpts_user_id)
+    input_, config = await _run_input_and_config(payload, user["user_id"])
     background_tasks.add_task(agent.ainvoke, input_, config)
     return {"status": "ok"}  # TODO add a run id
 
 
 @router.post("/stream")
 async def stream_run(
     payload: CreateRunPayload,
-    opengpts_user_id: OpengptsUserId,
+    user: AuthedUser,
 ):
     """Create a run."""
-    input_, config = await _run_input_and_config(payload, opengpts_user_id)
+    input_, config = await _run_input_and_config(payload, user["user_id"])
 
     return EventSourceResponse(to_sse(astream_messages(agent, input_, config)))
 

diff --git a/backend/app/api/threads.py b/backend/app/api/threads.py
@@ -1,3 +1,4 @@
+import asyncio
 from typing import Annotated, Any, Dict, List, Sequence, Union
 from uuid import uuid4
 
@@ -6,7 +7,8 @@
 from pydantic import BaseModel, Field
 
 import app.storage as storage
-from app.schema import OpengptsUserId, Thread
+from app.auth.handlers import AuthedUser
+from app.schema import Thread
 
 router = APIRouter()
 
@@ -28,59 +30,74 @@ class ThreadPostRequest(BaseModel):
 
 
 @router.get("/")
-async def list_threads(opengpts_user_id: OpengptsUserId) -> List[Thread]:
+async def list_threads(user: AuthedUser) -> List[Thread]:
     """List all threads for the current user."""
-    return await storage.list_threads(opengpts_user_id)
+    return await storage.list_threads(user["user_id"])
 
 
 @router.get("/{tid}/state")
 async def get_thread_state(
-    opengpts_user_id: OpengptsUserId,
+    user: AuthedUser,
     tid: ThreadID,
 ):
     """Get state for a thread."""
-    return await storage.get_thread_state(opengpts_user_id, tid)
+    thread, state = await asyncio.gather(
+        storage.get_thread(user["user_id"], tid),
+        storage.get_thread_state(user["user_id"], tid),
+    )
+    if not thread:
+        raise HTTPException(status_code=404, detail="Thread not found")
+    return state
 
 
 @router.post("/{tid}/state")
 async def add_thread_state(
-    opengpts_user_id: OpengptsUserId,
+    user: AuthedUser,
     tid: ThreadID,
     payload: ThreadPostRequest,
 ):
     """Add state to a thread."""
-    return await storage.update_thread_state(opengpts_user_id, tid, payload.values)
+    thread = await storage.get_thread(user["user_id"], tid)
+    if not thread:
+        raise HTTPException(status_code=404, detail="Thread not found")
+    return await storage.update_thread_state(user["user_id"], tid, payload.values)
 
 
 @router.get("/{tid}/history")
 async def get_thread_history(
-    opengpts_user_id: OpengptsUserId,
+    user: AuthedUser,
     tid: ThreadID,
 ):
     """Get all past states for a thread."""
-    return await storage.get_thread_history(opengpts_user_id, tid)
+    thread, history = await asyncio.gather(
+        storage.get_thread(user["user_id"], tid),
+        storage.get_thread_history(user["user_id"], tid),
+    )
+    if not thread:
+        raise HTTPException(status_code=404, detail="Thread not found")
+    return history
 
 
 @router.get("/{tid}")
 async def get_thread(
-    opengpts_user_id: OpengptsUserId,
+    user: AuthedUser,
     tid: ThreadID,
 ) -> Thread:
     """Get a thread by ID."""
-    thread = await storage.get_thread(opengpts_user_id, tid)
+    thread = await storage.get_thread(user["user_id"], tid)
     if not thread:
         raise HTTPException(status_code=404, detail="Thread not found")
     return thread
 
 
 @router.post("")
 async def create_thread(
-    opengpts_user_id: OpengptsUserId,
+    user: AuthedUser,
     thread_put_request: ThreadPutRequest,
 ) -> Thread:
     """Create a thread."""
     return await storage.put_thread(
-        opengpts_user_id,
+        user["user_id"],
         str(uuid4()),
         assistant_id=thread_put_request.assistant_id,
         name=thread_put_request.name,
@@ -89,13 +106,13 @@ async def create_thread(
 
 @router.put("/{tid}")
 async def upsert_thread(
-    opengpts_user_id: OpengptsUserId,
+    user: AuthedUser,
     tid: ThreadID,
     thread_put_request: ThreadPutRequest,
 ) -> Thread:
     """Update a thread."""
     return await storage.put_thread(
-        opengpts_user_id,
+        user["user_id"],
         tid,
         assistant_id=thread_put_request.assistant_id,
         name=thread_put_request.name,

diff --git a/backend/app/auth/__init__.py b/backend/app/auth/__init__.py