Revert "(UI) - Security Improvement, move to JWT Auth for Admin UI Sessions (#8995)"

This reverts commit 01a44a4.

Author: ishaan-jaff

litellm/proxy/_types.py

@@ -272,7 +272,6 @@ class LiteLLMRoutes(enum.Enum):
         "/key/health",
         "/team/info",
         "/team/list",
-        "/organization/info",
         "/organization/list",
         "/team/available",
         "/user/info",
@@ -283,11 +282,6 @@ class LiteLLMRoutes(enum.Enum):
         "/health",
         "/key/list",
         "/user/filter/ui",
-        "/user/list",
-        "/user/available_roles",
-        "/guardrails/list",
-        "/cache/ping",
-        "/get/config/callbacks",
     ]
 
     # NOTE: ROUTES ONLY FOR MASTER KEY - only the Master Key should be able to Reset Spend
@@ -306,8 +300,6 @@ class LiteLLMRoutes(enum.Enum):
         "/user/update",
         "/user/delete",
         "/user/info",
-        # user invitation management
-        "/invitation/new",
         # team
         "/team/new",
         "/team/update",
@@ -317,20 +309,6 @@ class LiteLLMRoutes(enum.Enum):
         "/team/block",
         "/team/unblock",
         "/team/available",
-        # team member management
-        "/team/member_add",
-        "/team/member_update",
-        "/team/member_delete",
-        # organization management
-        "/organization/new",
-        "/organization/update",
-        "/organization/delete",
-        "/organization/info",
-        "/organization/list",
-        # organization member management
-        "/organization/member_add",
-        "/organization/member_update",
-        "/organization/member_delete",
         # model
         "/model/new",
         "/model/update",
@@ -377,32 +355,20 @@ class LiteLLMRoutes(enum.Enum):
         "/sso",
         "/sso/get/ui_settings",
         "/login",
-        "/sso/session/validate",
         "/key/info",
         "/config",
         "/spend",
         "/model/info",
-        "/model/metrics",
-        "/model/metrics/{sub_path}",
-        "/model/settings",
-        "/get/litellm_model_cost_map",
-        "/model/streaming_metrics",
         "/v2/model/info",
         "/v2/key/info",
         "/models",
         "/v1/models",
         "/global/spend",
         "/global/spend/logs",
-        "/spend/logs/ui",
-        "/spend/logs/ui/{id}",
         "/global/spend/keys",
         "/global/spend/models",
         "/global/predict/spend/logs",
         "/global/activity",
-        "/global/activity/{sub_path}",
-        "/global/activity/exceptions",
-        "/global/activity/exceptions/{sub_path}",
-        "/global/all_end_users",
         "/health/services",
     ] + info_routes
 
@@ -2493,7 +2459,6 @@ class LiteLLM_JWTAuth(LiteLLMPydanticObjectBase):
         "spend_tracking_routes",
         "global_spend_tracking_routes",
         "info_routes",
-        "ui_routes",
     ]
     team_id_jwt_field: Optional[str] = None
     team_id_upsert: bool = False

litellm/proxy/auth/auth_checks.py

@@ -204,11 +204,9 @@ def _allowed_routes_check(user_route: str, allowed_routes: list) -> bool:
     """
 
     for allowed_route in allowed_routes:
-        if allowed_route in LiteLLMRoutes.__members__ and (
-            RouteChecks.check_route_access(
-                route=user_route,
-                allowed_routes=LiteLLMRoutes[allowed_route].value,
-            )
+        if (
+            allowed_route in LiteLLMRoutes.__members__
+            and user_route in LiteLLMRoutes[allowed_route].value
         ):
             return True
         elif allowed_route == user_route:
@@ -219,18 +217,16 @@ def _allowed_routes_check(user_route: str, allowed_routes: list) -> bool:
 def allowed_routes_check(
     user_role: Literal[
         LitellmUserRoles.PROXY_ADMIN,
-        LitellmUserRoles.PROXY_ADMIN_VIEW_ONLY,
         LitellmUserRoles.TEAM,
         LitellmUserRoles.INTERNAL_USER,
-        LitellmUserRoles.INTERNAL_USER_VIEW_ONLY,
     ],
     user_route: str,
     litellm_proxy_roles: LiteLLM_JWTAuth,
-    jwt_valid_token: dict,
 ) -> bool:
     """
     Check if user -> not admin - allowed to access these routes
     """
+
     if user_role == LitellmUserRoles.PROXY_ADMIN:
         is_allowed = _allowed_routes_check(
             user_route=user_route,

litellm/proxy/auth/handle_jwt.py

@@ -33,7 +33,6 @@
     ScopeMapping,
     Span,
 )
-from litellm.proxy.management_helpers.ui_session_handler import UISessionHandler
 from litellm.proxy.utils import PrismaClient, ProxyLogging
 
 from .auth_checks import (
@@ -407,60 +406,10 @@ def is_allowed_domain(self, user_email: str) -> bool:
         else:
             return False
 
-    def _validate_ui_token(self, token: str) -> Optional[dict]:
-        """
-        Helper function to validate tokens generated for the LiteLLM UI.
-        Returns the decoded payload if it's a valid UI token, None otherwise.
-        """
-        import jwt
-
-        from litellm.proxy.proxy_server import master_key
-
-        try:
-            # Decode without verification to check if it's a UI token
-            unverified_payload = jwt.decode(token, options={"verify_signature": False})
-
-            # Check if this looks like a UI token (has specific claims that only UI tokens would have)
-            if UISessionHandler.is_ui_session_token(unverified_payload):
-
-                # This looks like a UI token, now verify it with the master key
-                if not master_key:
-                    verbose_proxy_logger.debug(
-                        "Missing LITELLM_MASTER_KEY for UI token validation"
-                    )
-                    return None
-
-                try:
-                    payload = jwt.decode(
-                        token,
-                        master_key,
-                        algorithms=["HS256"],
-                        audience="litellm-ui",
-                        leeway=self.leeway,
-                    )
-                    verbose_proxy_logger.debug(
-                        "Successfully validated UI token for payload: %s",
-                        json.dumps(payload, indent=4),
-                    )
-                    return payload
-                except jwt.InvalidTokenError as e:
-                    verbose_proxy_logger.debug(f"Invalid UI token: {str(e)}")
-                    raise ValueError(
-                        f"Invalid UI token, Unable to validate token signature {str(e)}"
-                    )
-
-            return None  # Not a UI token
-        except Exception as e:
-            raise e
-
     async def auth_jwt(self, token: str) -> dict:
         # Supported algos: https://pyjwt.readthedocs.io/en/stable/algorithms.html
         # "Warning: Make sure not to mix symmetric and asymmetric algorithms that interpret
         #   the key in different ways (e.g. HS* and RS*)."
-
-        ui_payload = self._validate_ui_token(token)
-        if ui_payload:
-            return ui_payload
         algorithms = ["RS256", "RS384", "RS512", "PS256", "PS384", "PS512"]
 
         audience = os.getenv("JWT_AUDIENCE")
@@ -667,7 +616,6 @@ async def check_admin_access(
         user_id: Optional[str],
         org_id: Optional[str],
         api_key: str,
-        jwt_valid_token: dict,
     ) -> Optional[JWTAuthBuilderResult]:
         """Check admin status and route access permissions"""
         if not jwt_handler.is_admin(scopes=scopes):
@@ -677,7 +625,6 @@ async def check_admin_access(
             user_role=LitellmUserRoles.PROXY_ADMIN,
             user_route=route,
             litellm_proxy_roles=jwt_handler.litellm_jwtauth,
-            jwt_valid_token=jwt_valid_token,
         )
         if not is_allowed:
             allowed_routes: List[Any] = jwt_handler.litellm_jwtauth.admin_allowed_routes
@@ -751,7 +698,6 @@ async def find_team_with_model_access(
         user_api_key_cache: DualCache,
         parent_otel_span: Optional[Span],
         proxy_logging_obj: ProxyLogging,
-        jwt_valid_token: dict,
     ) -> Tuple[Optional[str], Optional[LiteLLM_TeamTable]]:
         """Find first team with access to the requested model"""
 
@@ -784,7 +730,6 @@ async def find_team_with_model_access(
                             user_role=LitellmUserRoles.TEAM,
                             user_route=route,
                             litellm_proxy_roles=jwt_handler.litellm_jwtauth,
-                            jwt_valid_token=jwt_valid_token,
                         )
                         if is_allowed:
                             return team_id, team_object
@@ -975,13 +920,7 @@ async def auth_builder(
 
         # Check admin access
         admin_result = await JWTAuthManager.check_admin_access(
-            jwt_handler=jwt_handler,
-            scopes=scopes,
-            route=route,
-            user_id=user_id,
-            org_id=org_id,
-            api_key=api_key,
-            jwt_valid_token=jwt_valid_token,
+            jwt_handler, scopes, route, user_id, org_id, api_key
         )
         if admin_result:
             return admin_result
@@ -1013,7 +952,6 @@ async def auth_builder(
                 user_api_key_cache=user_api_key_cache,
                 parent_otel_span=parent_otel_span,
                 proxy_logging_obj=proxy_logging_obj,
-                jwt_valid_token=jwt_valid_token,
             )
 
         # Get other objects

litellm/proxy/auth/route_checks.py

@@ -1,5 +1,5 @@
 import re
-from typing import List, Optional, Set, Union
+from typing import List, Optional
 
 from fastapi import HTTPException, Request, status
 
@@ -225,9 +225,7 @@ def _route_matches_pattern(route: str, pattern: str) -> bool:
         return False
 
     @staticmethod
-    def check_route_access(
-        route: str, allowed_routes: Union[List[str], Set[str]]
-    ) -> bool:
+    def check_route_access(route: str, allowed_routes: List[str]) -> bool:
         """
         Check if a route has access by checking both exact matches and patterns
 

litellm/proxy/auth/user_api_key_auth.py

@@ -51,7 +51,6 @@
 from litellm.proxy.auth.route_checks import RouteChecks
 from litellm.proxy.auth.service_account_checks import service_account_checks
 from litellm.proxy.common_utils.http_parsing_utils import _read_request_body
-from litellm.proxy.management_helpers.ui_session_handler import UISessionHandler
 from litellm.proxy.utils import PrismaClient, ProxyLogging, _to_ns
 from litellm.types.services import ServiceTypes
 
@@ -336,7 +335,6 @@ async def _user_api_key_auth_builder(  # noqa: PLR0915
             "pass_through_endpoints", None
         )
         passed_in_key: Optional[str] = None
-        cookie_token: Optional[str] = None
         if isinstance(api_key, str):
             passed_in_key = api_key
             api_key = _get_bearer_token(api_key=api_key)
@@ -346,10 +344,6 @@ async def _user_api_key_auth_builder(  # noqa: PLR0915
             api_key = anthropic_api_key_header
         elif isinstance(google_ai_studio_api_key_header, str):
             api_key = google_ai_studio_api_key_header
-        elif cookie_token := UISessionHandler._get_ui_session_token_from_cookies(
-            request
-        ):
-            api_key = cookie_token
         elif pass_through_endpoints is not None:
             for endpoint in pass_through_endpoints:
                 if endpoint.get("path", "") == route:
@@ -426,10 +420,7 @@ async def _user_api_key_auth_builder(  # noqa: PLR0915
         if general_settings.get("enable_oauth2_proxy_auth", False) is True:
             return await handle_oauth2_proxy_request(request=request)
 
-        if (
-            general_settings.get("enable_jwt_auth", False) is True
-            or cookie_token is not None
-        ):
+        if general_settings.get("enable_jwt_auth", False) is True:
             from litellm.proxy.proxy_server import premium_user
 
             if premium_user is not True: