Release prep for 1.3.1 (#1483)

* Update server.py (#1474)

Solving the underlying issue properly requires moving to HTTP only cookies, which is out of scope for now (we want to properly clean up auth). We're gonna ship this ASAP.

This reopens #1101 and #1438 .

* Changelog for 1.3.1 and 2.0.dev2.

* Bump version to 1.3.1.

---------

Co-authored-by: Josh Hayes <[email protected]>

CHANGELOG.md

@@ -4,35 +4,145 @@ All notable changes to Chainlit will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
-## [1.3.0rc0] - 2024-10-02
+## [1.3.1] - 2024-10-25
+
+### Security Advisory
+
+- **IMPORTANT**: This release temporarily reverts the file access security improvements from 1.3.0 to restore element functionality. The element feature currently has a known security vulnerability that could allow unauthorized access to files. We strongly recommend against using elements in production environments until the next release.
+- A comprehensive security fix using HTTP-only cookie authentication will be implemented in an upcoming release.
+
+### Changed
+
+- Reverted authentication requirements for file access endpoints to restore element functionality (#1474)
+
+### Development
+
+- Work in progress on implementing HTTP-only cookie authentication for proper security (#1472)
+
+## [1.3.0] - 2024-10-22
+
+### Security
+
+- Fixed critical endpoint security vulnerabilities (#1441)
+- Enhanced authentication for file-related endpoints (#1431)
+- Upgraded frontend and backend dependencies to address security issues (#1431)
 
 ### Added
 
-- SQLite support in SQLAlchemy integration (#1137)
-- Extensive test coverage for LiteralDataLayer and SQLAlchemyDataLayer
-- `get_element()` method to SQLAlchemyDataLayer (#1346)
+- SQLite support in SQLAlchemy integration (#1319)
+- Support for IETF BCP 47 language tags, enabling localized languages like es-419 (#1399)
+- Environment variables `OAUTH_<PROVIDER>_PROMPT` and `OAUTH_PROMPT` to
+override oauth prompt parameter. Enabling users to explicitly enable login/consent prompts for oauth, e.g. `OAUTH_PROMPT=consent` to prevent automatic re-login. (#1362, #1456).
+- Added `get_element()` method to SQLAlchemyDataLayer (#1346)
 
 ### Changed
 
 - Bumped LiteralAI dependency to version 0.0.625 (#1376)
-- Refactored LiteralDataLayer for improved performance and consistency
+- Optimized LiteralDataLayer for improved performance and consistency (#1376)
 - Refactored context handling in SQLAlchemy data layer (#1319)
+- Updated package metadata with correct authors, license, and documentation links (#1413)
 - Enhanced GitHub Actions workflow with restricted permissions (#1349)
 
 ### Fixed
 
-- Resolved issues with SQLite database support (#1137)
-- Addressed automatic OAuth login after logout (#1362)
-- Various code style and linting improvements (#1353, #1348, #1347)
+- Resolved dialog boxes extending beyond window bounds (#1446)
+- Fixed tasklist functionality when Chainlit is submounted (#1433)
+- Corrected handling of `display_name` in PersistentUser during authentication (#1425)
+- Fixed SQLAlchemy identifier quoting (#1395)
+- Improved spaces handling in avatar filenames (#1418)
+
+### Development
+
+- Implemented extensive test coverage for LiteralDataLayer and SQLAlchemyDataLayer
+- Added comprehensive unit tests for file-related endpoints
+- Enhanced code organization and import structure
+- Improved Python code style and linting (#1353)
+- Resolved various small text and documentation issues (#1347, #1348)
+
+## [2.0.dev2] - 2024-10-25
+
+### Security Advisory
+
+- **IMPORTANT**: This release temporarily reverts the file access security improvements from 2.0.dev1 to restore element functionality. The element feature currently has a known security vulnerability that could allow unauthorized access to files. We strongly recommend against using elements in production environments until the next release.
+- A comprehensive security fix using HTTP-only cookie authentication will be implemented in an upcoming release.
+
+### Changed
+
+- Reverted authentication requirements for file access endpoints to restore element functionality (#1474)
+
+### Development
+
+- Work in progress on implementing HTTP-only cookie authentication for proper security (#1472)
+
+## [2.0.dev1] - 2024-10-22
+
+### Added
+
+- Interactive DataFrame display component using MUI Data Grid (#1373)
+- Optional websocket connection in react-client (#1379)
+- Current URL in message payload (#1403)
+- Improved image interaction - clicking opens popup with download option (#1402)
+- Configurable user session timeout (#1032)
+
+### Security
+
+- Fixed file access vulnerability in get_file and upload_file endpoints (#1441)
+- Added authentication to /project/file endpoint (#1441)
+- Addressed security vulnerabilities in frontend dependencies (#1431, #1414)
+
+### Fixed
+
+- Dialog boxes extending beyond window (#1446)
+- Allow empty chat input when submitting attachments (#1261)
+- Tasklist when Chainlit is submounted (#1433)
+- Spaces in avatar filenames (#1418)
+- Step argument input and concurrency issues (#1409)
+- Display_name copying to PersistentUser during authentication (#1425)
 
 ### Development
 
-- Implemented LiteralToChainlitConverter class for handling conversions
-- Added comprehensive unit tests for data layer components
-- Improved import structure and removed unused imports
-- Updated README with latest project information (#1351)
+- Refactored storage clients into separate modules (#1363)
+- Support for IETF BCP 47 language tags (#1399)
+- Improved GitHub Actions workflows and build process (#1445)
+- Direct installation from GitHub support (#1423)
+- Extended package metadata with homepage and documentation links (#1413)
+- Various backend fixes and code cleanup (#1432)
+
+## [2.0.dev0] - 2024-10-08
+
+### Breaking Changes
+
+- Completely revamped audio implementation:
+  - Removed `AudioChunk` type, replaced with `InputAudioChunk` and `OutputAudioChunk`
+  - Changed audio sampling rate from 44100 to 24000
+  - Removed several audio configuration options (`min_decibels`, `initial_silence_timeout`, `silence_timeout`, `chunk_duration`, `max_duration`)
+  - Introduced new `on_audio_start` callback
+  - Modified `on_audio_end` callback to no longer accept file elements as arguments
+
+### Added
+
+- New audio connection signaling with `on` and `off` states
+- Introduced `AudioPresence` component for visual representation of audio state
+- Added `WavRecorder` and `WavStreamPlayer` classes for improved audio handling
+- New `startConversation` and `endConversation` methods in `useAudio` hook
+- Implemented audio interruption functionality
+
+### Changed
+
+- Updated `useChatInteract` hook to include `startAudioStream` method
+- Modified `useChatSession` to handle new audio streaming functionality
+- Updated UI components to reflect new audio implementation, including new microphone icons and audio presence indicators
+- Refactored `InputBoxFooter` to display audio presence when active
+
+### Removed
+
+- Eliminated `RecordScreen` component
+- Removed several audio-related configuration options from `config.toml`
+
+### Development
 
-We encourage users to thoroughly test this release candidate, particularly the LiteralAI integration and history features, and provide feedback before the final 1.3.0 release.
+- Added new wavtools directory with various audio processing utilities
+- Implemented new AudioWorklet processors for more efficient audio handling
 
 ## [1.2.0] - 2024-09-16
 

backend/chainlit/server.py

@@ -881,7 +881,7 @@ async def upload_file(
 async def get_file(
     file_id: str,
     session_id: str,
-    current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)],
+    # current_user: Annotated[Union[User, PersistedUser], Depends(get_current_user)], #TODO: Causes 401 error. See https://github.com/Chainlit/chainlit/issues/1472
 ):
     """Get a file from the session files directory."""
 
@@ -895,12 +895,13 @@ async def get_file(
             detail="Unauthorized",
         )
 
-    if current_user:
-        if not session.user or session.user.identifier != current_user.identifier:
-            raise HTTPException(
-                status_code=401,
-                detail="You are not authorized to download files from this session",
-            )
+     #TODO: Causes 401 error. See https://github.com/Chainlit/chainlit/issues/1472
+    # if current_user:
+    #     if not session.user or session.user.identifier != current_user.identifier:
+    #         raise HTTPException(
+    #             status_code=401,
+    #             detail="You are not authorized to download files from this session",
+    #         )
 
     if file_id in session.files:
         file = session.files[file_id]

backend/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "chainlit"
-version = "1.3.0"
+version = "1.3.1"
 keywords = [
     'LLM',
     'Agents',