Skip to content

fix: protect endpoints with auth API key #127

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: protect endpoints with auth API key #127

wants to merge 1 commit into from
+44 −66

Conversation

franciscovelez
Copy link

I've just noticed that some endpoints in this project are not protected, so any person with the URL can make calls to /chat/completions, for instance, without knowing the API key. I've created a new FastAPI dependency function that check if a valid API key has been provided (get_current_user_or_abort) and added it to each endpoint.

Marenz
Marenz approved these changes Jul 11, 2024
View reviewed changes
Copy link
Contributor

@Marenz Marenz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Do we know if the calling side is also always using the KEY when it should?

tjbck
tjbck reviewed Jul 11, 2024
View reviewed changes
main.py
@@ -8,7 +8,7 @@
from typing import List, Union, Generator, Iterator


from utils.pipelines.auth import bearer_security, get_current_user
from utils.pipelines.auth import get_current_user_or_abort
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should keep the get_current_user convention. Please refer to our main Open WebUI repo!

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Timothy, I'm sorry but I don't understand what you mean. Are you talking about adding the HTTP exception in the get_current_user or implement something like the function get_current_user_by_api_key (https://github.com/open-webui/open-webui/blob/eff736acd2e0bbbdd0eeca4cc209b216a1f23b6a/backend/utils/utils.py#L116C5-L116C32)?

@jabbasj
Copy link

jabbasj commented Aug 12, 2024

@franciscovelez The following quick change basically ensured that API key is validated for the completion endpoint:

@app.post("/v1/chat/completions")
@app.post("/chat/completions")
async def generate_openai_chat_completion(form_data: OpenAIChatCompletionForm, user: str = Depends(get_current_user)):

    if user != API_KEY:
        raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
                detail="Invalid API key",
            )

This doesn't meet your need?

@franciscovelez
Copy link
Author

@jabbasj Of course this quick change solves the problem for that endpoint but I still think that we can take advantage of the injection system provided by FastAPI, create a function that performs those checks and reuse it (Don't Repeat Yourself principle).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tjbck tjbck tjbck left review comments

@Marenz Marenz Marenz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@franciscovelez @jabbasj @Marenz @tjbck