LocalAI/backend/python/common/grpc_auth.py

"""Shared gRPC bearer token authentication interceptor for LocalAI Python backends.

When the environment variable LOCALAI_GRPC_AUTH_TOKEN is set, requests without
a valid Bearer token in the 'authorization' metadata header are rejected with
UNAUTHENTICATED. When the variable is empty or unset, no authentication is
performed (backward compatible).
"""

import hmac
import os

import grpc


class _AbortHandler(grpc.RpcMethodHandler):
    """A method handler that immediately aborts with UNAUTHENTICATED."""

    def __init__(self):
        self.request_streaming = False
        self.response_streaming = False
        self.request_deserializer = None
        self.response_serializer = None
        self.unary_unary = self._abort
        self.unary_stream = None
        self.stream_unary = None
        self.stream_stream = None

    @staticmethod
    def _abort(request, context):
        context.abort(grpc.StatusCode.UNAUTHENTICATED, "invalid token")


class TokenAuthInterceptor(grpc.ServerInterceptor):
    """Sync gRPC server interceptor that validates a bearer token."""

    def __init__(self, token: str):
        self._token = token
        self._abort_handler = _AbortHandler()

    def intercept_service(self, continuation, handler_call_details):
        metadata = dict(handler_call_details.invocation_metadata)
        auth = metadata.get("authorization", "")
        expected = "Bearer " + self._token
        if not hmac.compare_digest(auth, expected):
            return self._abort_handler
        return continuation(handler_call_details)


class AsyncTokenAuthInterceptor(grpc.aio.ServerInterceptor):
    """Async gRPC server interceptor that validates a bearer token."""

    def __init__(self, token: str):
        self._token = token

    async def intercept_service(self, continuation, handler_call_details):
        metadata = dict(handler_call_details.invocation_metadata)
        auth = metadata.get("authorization", "")
        expected = "Bearer " + self._token
        if not hmac.compare_digest(auth, expected):
            return _AbortHandler()
        return await continuation(handler_call_details)


def get_auth_interceptors(*, aio: bool = False):
    """Return a list of gRPC interceptors for bearer token auth.

    Args:
        aio: If True, return async-compatible interceptors for grpc.aio.server().
             If False (default), return sync interceptors for grpc.server().

    Returns an empty list when LOCALAI_GRPC_AUTH_TOKEN is not set.
    """
    token = os.environ.get("LOCALAI_GRPC_AUTH_TOKEN", "")
    if not token:
        return []
    if aio:
        return [AsyncTokenAuthInterceptor(token)]
    return [TokenAuthInterceptor(token)]
feat: add distributed mode (#9124) * feat: add distributed mode (experimental) Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * fix data races, mutexes, transactions Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * refactorings Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * fixups Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * fix events and tool stream in agent chat Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * use ginkgo Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * refactoring and consolidation Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * refactoring and consolidation Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * refactoring and consolidation Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * refactoring and consolidation Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * refactoring and consolidation Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * refactoring and consolidation Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * refactoring and consolidation Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * refactoring and consolidation Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * fix(cron): compute correctly time boundaries avoiding re-triggering Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * enhancements, refactorings Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * do not flood of healthy checks Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * do not list obvious backends as text backends Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * tests fixups Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * refactoring and consolidation Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * Drop redundant healthcheck Signed-off-by: Ettore Di Giacinto <mudler@localai.io> * enhancements, refactorings Signed-off-by: Ettore Di Giacinto <mudler@localai.io> --------- Signed-off-by: Ettore Di Giacinto <mudler@localai.io> 2026-03-29 22:47:27 +00:00			`"""Shared gRPC bearer token authentication interceptor for LocalAI Python backends.`

			`When the environment variable LOCALAI_GRPC_AUTH_TOKEN is set, requests without`
			`a valid Bearer token in the 'authorization' metadata header are rejected with`
			`UNAUTHENTICATED. When the variable is empty or unset, no authentication is`
			`performed (backward compatible).`
			`"""`

			`import hmac`
			`import os`

			`import grpc`


			`class _AbortHandler(grpc.RpcMethodHandler):`
			`"""A method handler that immediately aborts with UNAUTHENTICATED."""`

			`def __init__(self):`
			`self.request_streaming = False`
			`self.response_streaming = False`
			`self.request_deserializer = None`
			`self.response_serializer = None`
			`self.unary_unary = self._abort`
			`self.unary_stream = None`
			`self.stream_unary = None`
			`self.stream_stream = None`

			`@staticmethod`
			`def _abort(request, context):`
			`context.abort(grpc.StatusCode.UNAUTHENTICATED, "invalid token")`


			`class TokenAuthInterceptor(grpc.ServerInterceptor):`
			`"""Sync gRPC server interceptor that validates a bearer token."""`

			`def __init__(self, token: str):`
			`self._token = token`
			`self._abort_handler = _AbortHandler()`

			`def intercept_service(self, continuation, handler_call_details):`
			`metadata = dict(handler_call_details.invocation_metadata)`
			`auth = metadata.get("authorization", "")`
			`expected = "Bearer " + self._token`
			`if not hmac.compare_digest(auth, expected):`
			`return self._abort_handler`
			`return continuation(handler_call_details)`


			`class AsyncTokenAuthInterceptor(grpc.aio.ServerInterceptor):`
			`"""Async gRPC server interceptor that validates a bearer token."""`

			`def __init__(self, token: str):`
			`self._token = token`

			`async def intercept_service(self, continuation, handler_call_details):`
			`metadata = dict(handler_call_details.invocation_metadata)`
			`auth = metadata.get("authorization", "")`
			`expected = "Bearer " + self._token`
			`if not hmac.compare_digest(auth, expected):`
			`return _AbortHandler()`
			`return await continuation(handler_call_details)`


			`def get_auth_interceptors(*, aio: bool = False):`
			`"""Return a list of gRPC interceptors for bearer token auth.`

			`Args:`
			`aio: If True, return async-compatible interceptors for grpc.aio.server().`
			`If False (default), return sync interceptors for grpc.server().`

			`Returns an empty list when LOCALAI_GRPC_AUTH_TOKEN is not set.`
			`"""`
			`token = os.environ.get("LOCALAI_GRPC_AUTH_TOKEN", "")`
			`if not token:`
			`return []`
			`if aio:`
			`return [AsyncTokenAuthInterceptor(token)]`
			`return [TokenAuthInterceptor(token)]`