An example webapp demonstrating how to integrate Pangea's AuthN and AuthZ services into a LangChain app to filter out RAG documents based on user permissions.
-
Node.js v20 or v22.
-
A Pangea account with AuthN and AuthZ enabled. Optionally, AI Guard and Prompt Guard may also be enabled.
-
An OpenAI API key.
-
A Google Drive folder containing spreadsheets
-
Note down the ID of the folder for later (see the LangChain docs for a guide on how to get the ID from the URL).
-
Each spreadsheet should be named after a user and have two rows. For example:
Alice PTO
Employee Hours Alice 25 Bob PTO
Employee Hours Bob 100
-
-
Two Google Identities (i.e. Alice and Bob)
- One user (i.e. Alice) will act as the admin and own the folder and have full access to all spreadsheets within
- The other user (i.e. Bob) will act as an employee with read access to their single spreadsheet
-
A Google Cloud project with the Google Drive API and Google Sheets API enabled.
-
A Google service account:
-
In your Google Cloud project, go to IAM & Admin > Service Accounts (using the navigation menu in the top left) and create a new service account.
-
On the service accounts page, select your new service account, click KEYS, and add a new key. Save the key file as
credentials.jsonin the root folder of your application.Your
credentials.jsonfile should look similar to this:{ "type": "service_account", "project_id": "my-project", "private_key_id": "l3JYno7aIrRSZkAGFHSNPcjYS6lrpL1UnqbkWW1b", "private_key": "-----BEGIN PRIVATE KEY-----\n[...]\n-----END PRIVATE KEY-----\n", "client_email": "[email protected]", "client_id": "1234567890", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/my-service-account%40my-project.iam.gserviceaccount.com", "universe_domain": "googleapis.com" } -
Share the Google Drive folder with the service account's email - noted as
client_emailin thecredentials.jsonfile - granting it Editor access so it can query file permissions as needed.
-
After activating AuthN:
- Under AuthN > General> Signup Settings, enable "Allow Signups". This way users won't need to be manually added.
- Under AuthN > General > Redirect (Callback) Settings,
add
http://localhost:3000as a redirect. - Under AuthN > General > Social (OAuth), enable Google.
- Under AuthN > Overview, note the "Client Token" and "Hosted Login" values for later.
This app assumes that the authorization schema is set to the built-in File Drive schema.
git clone https://github.com/pangeacyber/authz-rag-webapp.git
cd authz-rag-webapp
npm install
cp .env.example .envThere are several values that need to be filled out in .env:
NEXT_PUBLIC_AUTHN_CLIENT_TOKEN: This should be the AuthN "Client Token" that was noted earlier.NEXT_PUBLIC_AUTHN_HOSTED_LOGIN: This should be the AuthN "Hosted Login" that was noted earlier.PANGEA_SERVICE_TOKEN: Pangea API token with access to at least AuthN and AuthZ. The app has optional support for AI Guard and Prompt Guard, so include those as well if desired.OPENAI_API_KEY: OpenAI API key.GOOGLE_DRIVE_FOLDER_ID: Google Drive folder ID.
Fetching the Google Drive file permissions and propagating them to AuthZ is its own step that only needs to be executed once, or whenever file permissions change. To run the process, do:
npm run create-authz-tuples
After AuthZ tuples have been created, the app can be started like so:
npm start
Then navigate to http://localhost:3000.