Merge branch 'main' into fix/upgrade-sometimes-happen-before-connect

.github/workflows/ci.yaml

@@ -4,9 +4,9 @@ on:
   workflow_call:
   workflow_dispatch:
   pull_request:
-    branches: [main, dev]
+    branches: [main, dev, 'release/**']
   push:
-    branches: [main, dev]
+    branches: [main, dev, 'release/**']
 
 permissions: read-all
 

.github/workflows/publish.yaml

@@ -34,6 +34,9 @@ jobs:
         name: Install Python, poetry and Python dependencies
         with:
           poetry-working-directory: ${{ env.BACKEND_DIR }}
+      - name: Build Python distribution
+        run: poetry self add poetry-plugin-ignore-build-script && poetry build --ignore-build-script
+        working-directory: ${{ env.BACKEND_DIR }}
       - name: Publish package distributions to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:

CHANGELOG.md

@@ -4,6 +4,21 @@ All notable changes to Chainlit will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [1.3.1] - 2024-10-25
+
+### Security Advisory
+
+- **IMPORTANT**: This release temporarily reverts the file access security improvements from 1.3.0 to restore element functionality. The element feature currently has a known security vulnerability that could allow unauthorized access to files. We strongly recommend against using elements in production environments until the next release.
+- A comprehensive security fix using HTTP-only cookie authentication will be implemented in an upcoming release.
+
+### Changed
+
+- Reverted authentication requirements for file access endpoints to restore element functionality (#1474)
+
+### Development
+
+- Work in progress on implementing HTTP-only cookie authentication for proper security (#1472)
+
 ## [1.3.0] - 2024-10-22
 
 ### Security
@@ -44,6 +59,21 @@ override oauth prompt parameter. Enabling users to explicitly enable login/conse
 - Improved Python code style and linting (#1353)
 - Resolved various small text and documentation issues (#1347, #1348)
 
+## [2.0.dev2] - 2024-10-25
+
+### Security Advisory
+
+- **IMPORTANT**: This release temporarily reverts the file access security improvements from 2.0.dev1 to restore element functionality. The element feature currently has a known security vulnerability that could allow unauthorized access to files. We strongly recommend against using elements in production environments until the next release.
+- A comprehensive security fix using HTTP-only cookie authentication will be implemented in an upcoming release.
+
+### Changed
+
+- Reverted authentication requirements for file access endpoints to restore element functionality (#1474)
+
+### Development
+
+- Work in progress on implementing HTTP-only cookie authentication for proper security (#1472)
+
 ## [2.0.dev1] - 2024-10-22
 
 ### Added

backend/README.md

@@ -18,7 +18,7 @@ Chainlit is an open-source async Python framework which allows developers to bui
 
 Full documentation is available [here](https://docs.chainlit.io). You can ask Chainlit related questions to [Chainlit Help](https://help.chainlit.io/), an app built using Chainlit!
 
-> [!NOTE]  
+> [!NOTE]
 > Check out [Literal AI](https://literalai.com), our product to monitor and evaluate LLM applications! It works with any Python or TypeScript applications and [seamlessly](https://docs.chainlit.io/data-persistence/overview) with Chainlit by adding a `LITERAL_API_KEY` in your project.
 >
 > Chainlit is developed and maintained by the Literal AI team, which is currently focused on expanding the capabilities of Literal AI. While we continue to support and maintain Chainlit, we are also committed to enabling the community to contribute, particularly in areas like integrations and data layers.
@@ -43,7 +43,7 @@ If this opens the `hello app` in your browser, you're all set!
 The latest in-development version can be installed straight from GitHub with:
 
 ```sh
-pip install git+https://github.com/Chainlit/chainlit.git@dokterbob/build_frontend_on_poetry_build#subdirectory=backend/
+pip install git+https://github.com/Chainlit/chainlit.git#subdirectory=backend/
 ```
 
 (Requires Node and pnpm installed on the system.)

backend/chainlit/server.py

@@ -881,7 +881,7 @@ async def upload_file(
 async def get_file(
     file_id: str,
     session_id: str,
-    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
+    # current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)], #TODO: Causes 401 error. See https://github.com/Chainlit/chainlit/issues/1472
 ):
     """Get a file from the session files directory."""
 
@@ -895,12 +895,13 @@ async def get_file(
             detail="Unauthorized",
         )
 
-    if current_user:
-        if not session.user or session.user.identifier != current_user.identifier:
-            raise HTTPException(
-                status_code=401,
-                detail="You are not authorized to download files from this session",
-            )
+     #TODO: Causes 401 error. See https://github.com/Chainlit/chainlit/issues/1472
+    # if current_user:
+    #     if not session.user or session.user.identifier != current_user.identifier:
+    #         raise HTTPException(
+    #             status_code=401,
+    #             detail="You are not authorized to download files from this session",
+    #         )
 
     if file_id in session.files:
         file = session.files[file_id]

backend/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "chainlit"
-version = "2.0.dev1"
+version = "2.0.dev2"
 keywords = [
     'LLM',
     'Agents',
@@ -14,7 +14,7 @@ keywords = [
 ]
 description = "Build Conversational AI."
 authors = ["Willy Douhard", "Dan Andre Constantini"]
-license = " Apache-2.0"
+license = "Apache-2.0"
 homepage = "https://chainlit.io/"
 documentation = "https://docs.chainlit.io/"
 classifiers = [

frontend/src/components/atoms/elements/InlinedDataframeList.tsx

@@ -16,7 +16,7 @@ const InlinedDataframeList = ({ items }: Props) => (
           key={i}
           style={{
             height: 450,
-            maxWidth: '650px'
+            maxWidth: 'fit-content'
           }}
         >
           <DataframeElement element={element} />

libs/react-client/src/types/file.ts

@@ -22,4 +22,5 @@ export interface IAsk {
     timeout: number;
   } & FileSpec &
     ActionSpec;
+  parentId?: string;
 }

libs/react-client/src/useChatInteract.ts

@@ -118,6 +118,7 @@ const useChatInteract = () => {
   const replyMessage = useCallback(
     (message: IStep) => {
       if (askUser) {
+        if (askUser.parentId) message.parentId = askUser.parentId;
         setMessages((oldMessages) => addMessage(oldMessages, message));
         askUser.callback(message);
       }

libs/react-client/src/useChatSession.ts

@@ -273,7 +273,7 @@ const useChatSession = () => {
       );
 
       socket.on('ask', ({ msg, spec }, callback) => {
-        setAskUser({ spec, callback });
+        setAskUser({ spec, callback, parentId: msg.parentId });
         setMessages((oldMessages) => addMessage(oldMessages, msg));
 
         setLoading(false);

package.json

@@ -25,8 +25,7 @@
     "formatUi": "cd frontend && pnpm run format",
     "lintPython": "cd backend && poetry run mypy chainlit/ tests/",
     "formatPython": "black `git ls-files | grep '.py$'` && isort --profile=black .",
-    "buildUi": "cd libs/react-client && pnpm run build && cd ../copilot && pnpm run build && cd ../../frontend && pnpm run build",
-    "build": "pnpm run buildUi && (mkdir -p backend/chainlit/frontend && cp -R frontend/dist backend/chainlit/frontend) && (mkdir -p backend/chainlit/copilot && cp -R libs/copilot/dist backend/chainlit/copilot) && (cd backend && poetry build)"
+    "buildUi": "cd libs/react-client && pnpm run build && cd ../copilot && pnpm run build && cd ../../frontend && pnpm run build"
   },
   "pnpm": {
     "overrides": {