feat(Multi-Tenancy): Implement Strict Data Isolation and Enhanced Authentication

[pranav-tandon]

feat(Multi-Tenancy): Implement Strict Data Isolation and Enhanced Authentication

Description

Summary

This PR implements strict data isolation for multi-tenant environments, ensuring that users from different organizations cannot access each other's data. It also includes critical fixes for the user registration and login flows, improved error handling for queries, and robust end-to-end verification tests.

Motivation

Previously, the registration and login flows had inconsistencies (e.g., default organization ID mismatch, incorrect payload formats) that prevented successful user onboarding. Additionally, while the database schema supported multi-tenancy, specific enforcement verification was needed to ensure zero data leakage between tenants.

Key Features

• Strict Data Isolation: Enforces tenant boundaries at the API and RAG Manager level.
• Seamless Registration: Auto-provisions organizations during registration to support self-service scenarios.
• Enhanced Login: Supports org_id during login and uses standard JSON payloads.
• Robust Validation: Relaxed unnecessary constraints on query length to improve user experience.
• E2E Verification: Added automated test suite to verify isolation guarantees.

Changes

Core Implementation

File	Changes
lightrag/api/db.py	Added create_organization helper; ensured init_db seeds default org.
lightrag/api/dependencies.py	Added fallback to default org if org_id is missing in token.
lightrag/api/lightrag_server.py	Integrated tenant_auth_routes and tenant_document_routes.

API & Routes

File	Changes
lightrag/api/routers/tenant_auth_routes.py	Auto-create org on register; fixed login response model.
lightrag/api/routers/tenant_document_routes.py	Added pagination, status, and pipeline endpoints.
lightrag/api/routers/query_routes.py	Reduced min_length for query validation from 3 to 1.

Frontend

File	Changes
lightrag_webui/src/features/RegisterPage.tsx	Updated default orgId to org_default.
lightrag_webui/src/features/LoginPage.tsx	Added Organization ID input field.
lightrag_webui/src/api/lightrag.ts	Updated loginToServer to use JSON instead of FormData; added org_id support.

Tests (Comprehensive Coverage)

File	Purpose
tests/test_tenancy_isolation.py	NEW: E2E test verifying User A cannot access User B's data.

Migration Behavior

• Backward Compatibility: Existing tokens without org_id default to org_default.
• Data Migration: No schema changes required for existing single-tenant deployments.

Verification

An end-to-end isolation test was performed:

1. User A (org_alpha) uploaded a secret text: "BLUE_HORIZON".
2. User A successfully retrieved the secret via RAG query.
3. User B (org_beta) queried for the same secret but received "No relevant context found".

This confirms that data isolation is functioning correctly.

[tapir]

Any ETA on when this will be merged?

[JoramMillenaar]

Is it possible to trim down this PR or split it in two (eg. a PR for the multi-tenancy and one for the auth)? Some changes are also just reformatting / indentation. This will make the reviewer's job much easier.