search

bricks-cloud / BricksLLM

šŸ”’ Enterprise-grade API gateway that helps you monitor and impose cost or rate limits per API key. Get fine-grained access control and monitoring per user, application, or environment. Supports OpenAI, Azure OpenAI, Anthropic, vLLM, and open-source LLMs.
https://trybricks.ai/
MIT License
863 stars 60 forks source link

Certain Bricks API keys can't pass authentication. #49

Closed ReeseWang closed 6 months ago

ReeseWang commented 6 months ago

When I create Bricks API keys like 5xrdVPkTQMschs5CRLxYZuMu, I always get 401 not authorized error:

$ curl -X PATCH -H "Content-Type: application/json" -H "X-API-KEY: [redacted]" localhost:8001/api/key-management/keys/b0070528-209a-4ed2-a788-c58aeef523ec -d '{
    "name": "testkey",
    "tags": ["testkey"],                
    "key": "5xrdVPkTQMschs5CRLxYZuMu",
    "settingIds": ["a104afa5-4313-48cc-a75f-0fe57cec2877"],
    "costLimitInUsdOverTime": 0.1,
    "costLimitInUsdUnit": "d",
    "rateLimitOverTime": 30,       
    "rateLimitUnit": "m",                                                  
    "shouldLogRequest": true,
    "shouldLogResponse": true
}'      
{"name":"testkey","createdAt":1709286279,"updatedAt":1709377458,"tags":["testkey"],"keyId":"b0070528-209a-4ed2-a788-c58aeef523ec","revoked":false,"key":"ac480863ca46a254b576ac824c1e633fa38ac46582cd300e06b83084acc297ae","revokedReason":"","costLimitInUsd":0,"costLimitInUsdOverTime":0.1,"costLimitInUsdUnit":"d","rateLimitOverTime":30,"rateLimitUnit":"m","ttl":"","settingId":"","allowedPaths":null,"settingIds":["a104afa5-4313-48cc-a75f-0fe57cec2877"],"shouldLogRequest":true,"shouldLogResponse":true,"rotationEnabled":false}

$ curl -X POST http://localhost:8002/api/providers/openai/v1/chat/completions \
   -H "Authorization: Bearer 5xrdVPkTQMschs5CRLxYZuMu" \
   -H "Content-Type: application/json" \
   -d '{
          "model": "gpt-3.5-turbo",
          "messages": [
              {
                  "role": "system",
                  "content": "I'"'"'m testing, hoping to catch some error."
              }
          ]
      }'

{"error":{"code":"401","message":"[BricksLLM] not authorized","type":""}}

After some debugging, I found the sha256 hash of this key doesn't match the hash stored in my database:

$ echo -n 5xrdVPkTQMschs5CRLxYZuMu | sha256sum
106ff82a265e1bae932377d34ba7cc737793eaf98190df2be1637c16143f1816  -

bricksllm=> SELECT key FROM keys WHERE name = 'testkey';
                               key                                
------------------------------------------------------------------
 ac480863ca46a254b576ac824c1e633fa38ac46582cd300e06b83084acc297ae
(1 row)

The hash calculated here is also 106ff... https://github.com/bricks-cloud/BricksLLM/blob/b41d5fe73089e40095c108f6789d5f65bfdb4817/internal/authenticator/authenticator.go#L160

When I use keys like WsbjdNiM9CP2wukbZMjF, authentication passes, hashes match, no problem. I think there are problems in code related to storing keys.

ReeseWang commented 6 months ago

Nevermind, just found out updating a key's key field is not supported.