Merge branch 'main' into fix/agentflow-sdk-fix-duplicate-and-drag

Author: j-sanaa

.github/workflows/docker-image-ecr.yml

@@ -25,7 +25,7 @@ on:
                 default: 'latest'
 
 permissions:
-    contents: read  # Required for checkout
+    contents: read # Required for checkout
     id-token: write # Required for AWS OIDC
 
 jobs:

SECURITY.md

@@ -3,6 +3,7 @@
 At Flowise, we prioritize security and continuously work to safeguard our systems. However, vulnerabilities can still exist. If you identify a security issue, please report it to us so we can address it promptly. Your cooperation helps us better protect our platform and users.
 
 ### Scope
+
 -   Flowise Cloud: cloud.flowiseai.com
 -   Public Flowise Repositories
 
@@ -31,7 +32,6 @@ At Flowise, we prioritize security and continuously work to safeguard our system
 -   Known vulnerabilities in used libraries (unless exploitability can be proven)
 -   Static application security testing findings
 
-
 ### Reporting Guidelines
 
 -   Submit your findings to https://github.com/FlowiseAI/Flowise/security
@@ -46,9 +46,10 @@ At Flowise, we prioritize security and continuously work to safeguard our system
 
 ### Disclosure Terms
 
-The Flowise team believes that transparency is important and public bug bounty reports are a valuable source of knowledge for bug bounty researchers. However, the Flowise team may have legitimate reasons not to disclose vulnerabilities. 
+The Flowise team believes that transparency is important and public bug bounty reports are a valuable source of knowledge for bug bounty researchers. However, the Flowise team may have legitimate reasons not to disclose vulnerabilities.
 
 Do not discuss or disclose vulnerability information without prior written consent. If you plan on presenting your research, please share a draft with us at least 45 days in advance for review. Avoid including:
+
 -   Data from any Flowise customer projects
 -   Flowise user/customer information
 -   Details about Flowise employees, contractors, or partners
@@ -63,7 +64,7 @@ We will validate submissions within the below timelines.
 | Medium | 15 business days |
 | Low | 15 business days |
 
-Your report will be kept *confidential*, and your details will not be shared without your consent. The Flowise team will triage and adjust severity or CVSS score if necessary.
+Your report will be kept _confidential_, and your details will not be shared without your consent. The Flowise team will triage and adjust severity or CVSS score if necessary.
 We appreciate your efforts in helping us maintain a secure platform and look forward to working together to resolve any issues responsibly.
 
 ### Remediation
@@ -72,15 +73,16 @@ Once the report has been verified, the Flowise team will plan the remediation st
 Below is the estimated time to remediate the triaged security reports.
 
 | Triaged Severity | Estimated Time to Remediate |
-| ---------------------- | ---------------- |
-| Critical | 30 business days |
-| High | 60 business days |
-| Medium | 90 business days |
+| ---------------- | --------------------------- |
+| Critical         | 30 business days            |
+| High             | 60 business days            |
+| Medium           | 90 business days            |
 
 ### Public Disclosure Timeline
 
 Public Disclosure occurs exactly 30 days after the next official release that includes the security patch. This period gives Flowise users a time to adopt the patched version before technical vulnerability details are made public, mitigating the risk of immediate post-disclosure exploitation.
 
 #### Reaching out to the Security team
+
 To report a new vulnerability, please submit a Github security Security Advisory report.
-If you have any questions or concerns about the existing Security Advisory, please contact security-team@flowiseai.com.
+If you have any questions or concerns about the existing Security Advisory, please contact security-team@flowiseai.com.

packages/agentflow/package.json

@@ -44,10 +44,10 @@
         "*.css"
     ],
     "scripts": {
-        "build": "tsc && cross-env NODE_ENV=production vite build",
+        "build": "tsc && vite build",
         "clean": "rimraf dist",
-        "dev": "cross-env NODE_ENV=development vite",
-        "dev:example": "cross-env NODE_ENV=development vite --config examples/vite.config.ts",
+        "dev": "vite",
+        "dev:example": "vite --config examples/vite.config.ts",
         "format": "prettier --write \"{src,examples}/**/*.{ts,tsx,js,jsx,json,css,md}\"",
         "format:check": "prettier --check \"{src,examples}/**/*.{ts,tsx,js,jsx,json,css,md}\"",
         "lint": "eslint \"{src,examples/src}/**/*.{js,jsx,ts,tsx,json,md}\"",
@@ -89,7 +89,6 @@
         "eslint-plugin-simple-import-sort": "^12.0.0",
         "jest": "^29.7.0",
         "jest-environment-jsdom": "^29.7.0",
-        "cross-env": "^7.0.3",
         "rimraf": "^5.0.5",
         "ts-jest": "^29.3.2",
         "typescript": "^5.4.5",

packages/agentflow/vite.config.ts

@@ -3,59 +3,61 @@ import react from '@vitejs/plugin-react'
 import dts from 'vite-plugin-dts'
 import { resolve } from 'path'
 
-const isDev = process.env.NODE_ENV === 'development'
+export default defineConfig(({ mode }) => {
+    const isDev = mode === 'development'
 
-export default defineConfig({
-    plugins: [
-        react(),
-        dts({
-            insertTypesEntry: true,
-            include: ['src/**/*'],
-            exclude: ['src/**/*.test.ts', 'src/**/*.test.tsx', 'src/__test_utils__/**']
-        })
-    ],
-    resolve: {
-        alias: {
-            '@': resolve(__dirname, 'src')
-        }
-    },
-    build: {
-        lib: {
-            entry: resolve(__dirname, 'src/index.ts'),
-            name: 'FlowiseAgentflow',
-            formats: ['es', 'umd'],
-            fileName: (format) => `index.${format === 'es' ? 'js' : 'umd.js'}`
-        },
-        rollupOptions: {
-            external: [
-                'react',
-                'react-dom',
-                'react/jsx-runtime',
-                '@mui/material',
-                '@mui/material/styles',
-                '@mui/icons-material',
-                '@emotion/react',
-                '@emotion/styled',
-                'reactflow'
-            ],
-            output: {
-                globals: {
-                    react: 'React',
-                    'react-dom': 'ReactDOM',
-                    'react/jsx-runtime': 'jsxRuntime',
-                    '@mui/material': 'MaterialUI',
-                    '@mui/material/styles': 'MaterialUIStyles',
-                    '@emotion/react': 'emotionReact',
-                    '@emotion/styled': 'emotionStyled',
-                    reactflow: 'ReactFlow'
-                },
-                assetFileNames: (assetInfo) => {
-                    if (assetInfo.name === 'style.css') return 'flowise.css'
-                    return assetInfo.name || 'asset'
-                }
+    return {
+        plugins: [
+            react(),
+            dts({
+                insertTypesEntry: true,
+                include: ['src/**/*'],
+                exclude: ['src/**/*.test.ts', 'src/**/*.test.tsx', 'src/__test_utils__/**']
+            })
+        ],
+        resolve: {
+            alias: {
+                '@': resolve(__dirname, 'src')
             }
         },
-        cssCodeSplit: false,
-        sourcemap: isDev ? true : false
+        build: {
+            lib: {
+                entry: resolve(__dirname, 'src/index.ts'),
+                name: 'FlowiseAgentflow',
+                formats: ['es', 'umd'],
+                fileName: (format) => `index.${format === 'es' ? 'js' : 'umd.js'}`
+            },
+            rollupOptions: {
+                external: [
+                    'react',
+                    'react-dom',
+                    'react/jsx-runtime',
+                    '@mui/material',
+                    '@mui/material/styles',
+                    '@mui/icons-material',
+                    '@emotion/react',
+                    '@emotion/styled',
+                    'reactflow'
+                ],
+                output: {
+                    globals: {
+                        react: 'React',
+                        'react-dom': 'ReactDOM',
+                        'react/jsx-runtime': 'jsxRuntime',
+                        '@mui/material': 'MaterialUI',
+                        '@mui/material/styles': 'MaterialUIStyles',
+                        '@emotion/react': 'emotionReact',
+                        '@emotion/styled': 'emotionStyled',
+                        reactflow: 'ReactFlow'
+                    },
+                    assetFileNames: (assetInfo) => {
+                        if (assetInfo.name === 'style.css') return 'flowise.css'
+                        return assetInfo.name || 'asset'
+                    }
+                }
+            },
+            cssCodeSplit: false,
+            sourcemap: isDev ? true : false
+        }
     }
 })

packages/components/credentials/AWSCredential.credential.ts

@@ -11,7 +11,7 @@ class AWSApi implements INodeCredential {
     constructor() {
         this.label = 'AWS security credentials'
         this.name = 'awsApi'
-        this.version = 1.0
+        this.version = 1.1
         this.description =
             'Your <a target="_blank" href="https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds.html">AWS security credentials</a>. When unspecified, credentials will be sourced from the runtime environment according to the default AWS SDK behavior.'
         this.optional = true
@@ -39,6 +39,24 @@ class AWSApi implements INodeCredential {
                 placeholder: '<AWS_SESSION_TOKEN>',
                 description: 'The session key for your AWS account. This is only needed when you are using temporary credentials.',
                 optional: true
+            },
+            {
+                label: 'Role ARN',
+                name: 'roleArn',
+                type: 'string',
+                placeholder: 'arn:aws:iam::123456789012:role/role-name',
+                description:
+                    'The Amazon Resource Name (ARN) of the IAM role to assume. When provided, Flowise will use AWS STS AssumeRole to obtain temporary credentials. Leave empty to use static credentials directly.',
+                optional: true
+            },
+            {
+                label: 'External ID',
+                name: 'externalId',
+                type: 'string',
+                placeholder: 'unique-external-id',
+                description:
+                    'A unique identifier used for cross-account role assumption. Required when the role trust policy includes an sts:ExternalId condition.',
+                optional: true
             }
         ]
     }

packages/components/nodes/chatmodels/AWSBedrock/AWSChatBedrock.ts

@@ -1,7 +1,8 @@
 import { BaseCache } from '@langchain/core/caches'
 import { ICommonObject, IMultiModalOption, INode, INodeData, INodeOptionsValue, INodeParams } from '../../../src/Interface'
-import { getBaseClasses, getCredentialData, getCredentialParam } from '../../../src/utils'
+import { getBaseClasses } from '../../../src/utils'
 import { getModels, getRegions, MODEL_TYPE } from '../../../src/modelLoader'
+import { getAWSCredentialConfig } from '../../../src/awsToolsUtils'
 import { ChatBedrockConverseInput, ChatBedrockConverse } from '@langchain/aws'
 import { BedrockChat } from './FlowiseAWSChatBedrock'
 
@@ -163,19 +164,12 @@ class AWSChatBedrock_ChatModels implements INode {
          * Bedrock's credential provider falls back to the AWS SDK to fetch
          * credentials from the running environment.
          * When specified, we override the default provider with configured values.
+         * Supports STS AssumeRole when a Role ARN is configured in the credential.
          * @see https://github.com/aws/aws-sdk-js-v3/blob/main/packages/credential-provider-node/README.md
          */
-        const credentialData = await getCredentialData(nodeData.credential ?? '', options)
-        if (credentialData && Object.keys(credentialData).length !== 0) {
-            const credentialApiKey = getCredentialParam('awsKey', credentialData, nodeData)
-            const credentialApiSecret = getCredentialParam('awsSecret', credentialData, nodeData)
-            const credentialApiSession = getCredentialParam('awsSession', credentialData, nodeData)
-
-            obj.credentials = {
-                accessKeyId: credentialApiKey,
-                secretAccessKey: credentialApiSecret,
-                sessionToken: credentialApiSession
-            }
+        const credentialConfig = await getAWSCredentialConfig(nodeData, options, iRegion)
+        if (credentialConfig.credentials) {
+            obj.credentials = credentialConfig.credentials
         }
         if (cache) obj.cache = cache
 

packages/components/nodes/documentloaders/S3Directory/S3Directory.ts

@@ -1,11 +1,6 @@
 import { ICommonObject, INode, INodeData, INodeOptionsValue, INodeOutputsValue, INodeParams } from '../../../src/Interface'
-import {
-    getCredentialData,
-    getCredentialParam,
-    handleDocumentLoaderDocuments,
-    handleDocumentLoaderMetadata,
-    handleDocumentLoaderOutput
-} from '../../../src/utils'
+import { handleDocumentLoaderDocuments, handleDocumentLoaderMetadata, handleDocumentLoaderOutput } from '../../../src/utils'
+import { getAWSCredentialConfig } from '../../../src/awsToolsUtils'
 import { S3Client, GetObjectCommand, S3ClientConfig, ListObjectsV2Command, ListObjectsV2Output } from '@aws-sdk/client-s3'
 import { getRegions, MODEL_TYPE } from '../../../src/modelLoader'
 import { Readable } from 'node:stream'
@@ -158,18 +153,9 @@ class S3_DocumentLoaders implements INode {
         const output = nodeData.outputs?.output as string
 
         let credentials: S3ClientConfig['credentials'] | undefined
-
         if (nodeData.credential) {
-            const credentialData = await getCredentialData(nodeData.credential, options)
-            const accessKeyId = getCredentialParam('awsKey', credentialData, nodeData)
-            const secretAccessKey = getCredentialParam('awsSecret', credentialData, nodeData)
-
-            if (accessKeyId && secretAccessKey) {
-                credentials = {
-                    accessKeyId,
-                    secretAccessKey
-                }
-            }
+            const credentialConfig = await getAWSCredentialConfig(nodeData, options, region)
+            credentials = credentialConfig.credentials
         }
 
         let s3Config: S3ClientConfig = {

packages/components/nodes/documentloaders/S3File/S3File.ts

@@ -7,13 +7,8 @@ import {
     SkipInferTableTypes,
     HiResModelName
 } from '@langchain/community/document_loaders/fs/unstructured'
-import {
-    getCredentialData,
-    getCredentialParam,
-    handleDocumentLoaderDocuments,
-    handleDocumentLoaderMetadata,
-    handleDocumentLoaderOutput
-} from '../../../src/utils'
+import { handleDocumentLoaderDocuments, handleDocumentLoaderMetadata, handleDocumentLoaderOutput } from '../../../src/utils'
+import { getAWSCredentialConfig } from '../../../src/awsToolsUtils'
 import { S3Client, GetObjectCommand, HeadObjectCommand, S3ClientConfig } from '@aws-sdk/client-s3'
 import { getRegions, MODEL_TYPE } from '../../../src/modelLoader'
 import { Readable } from 'node:stream'
@@ -581,18 +576,9 @@ class S3_DocumentLoaders implements INode {
         }
 
         let credentials: S3ClientConfig['credentials'] | undefined
-
         if (nodeData.credential) {
-            const credentialData = await getCredentialData(nodeData.credential, options)
-            const accessKeyId = getCredentialParam('awsKey', credentialData, nodeData)
-            const secretAccessKey = getCredentialParam('awsSecret', credentialData, nodeData)
-
-            if (accessKeyId && secretAccessKey) {
-                credentials = {
-                    accessKeyId,
-                    secretAccessKey
-                }
-            }
+            const credentialConfig = await getAWSCredentialConfig(nodeData, options, region)
+            credentials = credentialConfig.credentials
         }
 
         const s3Config: S3ClientConfig = {

packages/components/nodes/embeddings/AWSBedrockEmbedding/AWSBedrockEmbedding.ts

@@ -1,7 +1,8 @@
 import { BedrockRuntimeClient, InvokeModelCommand } from '@aws-sdk/client-bedrock-runtime'
 import { BedrockEmbeddings, BedrockEmbeddingsParams } from '@langchain/community/embeddings/bedrock'
 import { ICommonObject, INode, INodeData, INodeOptionsValue, INodeParams } from '../../../src/Interface'
-import { getBaseClasses, getCredentialData, getCredentialParam } from '../../../src/utils'
+import { getBaseClasses } from '../../../src/utils'
+import { getAWSCredentialConfig } from '../../../src/awsToolsUtils'
 import { MODEL_TYPE, getModels, getRegions } from '../../../src/modelLoader'
 
 class AWSBedrockEmbedding_Embeddings implements INode {
@@ -129,17 +130,15 @@ class AWSBedrockEmbedding_Embeddings implements INode {
             region: iRegion
         }
 
-        const credentialData = await getCredentialData(nodeData.credential ?? '', options)
-        if (credentialData && Object.keys(credentialData).length !== 0) {
-            const credentialApiKey = getCredentialParam('awsKey', credentialData, nodeData)
-            const credentialApiSecret = getCredentialParam('awsSecret', credentialData, nodeData)
-            const credentialApiSession = getCredentialParam('awsSession', credentialData, nodeData)
-
-            obj.credentials = {
-                accessKeyId: credentialApiKey,
-                secretAccessKey: credentialApiSecret,
-                sessionToken: credentialApiSession
-            }
+        /**
+         * Long-term credentials specified in embedding configuration are optional.
+         * Bedrock's credential provider falls back to the AWS SDK to fetch
+         * credentials from the running environment.
+         * Supports STS AssumeRole when a Role ARN is configured in the credential.
+         */
+        const credentialConfig = await getAWSCredentialConfig(nodeData, options, iRegion)
+        if (credentialConfig.credentials) {
+            obj.credentials = credentialConfig.credentials
         }
 
         const client = new BedrockRuntimeClient({