WebUI: 'Authorization header missing'

mudler / LocalAI

:robot: The free, Open Source OpenAI alternative. Self-hosted, community-driven and local-first. Drop-in replacement for OpenAI running on consumer-grade hardware. No GPU required. Runs gguf, transformers, diffusers and many more models architectures. It allows to generate Text, Audio, Video, Images. Also with voice cloning capabilities.

https://localai.io

MIT License

21.66k stars 1.66k forks source link

WebUI: 'Authorization header missing' #2227

Open AlexM4H opened 2 months ago

AlexM4H commented 2 months ago

The WebUI is making great progress. Many thanks for that.

I tried to test the chat today. Without using an API-KEY in my settings it works fine.

But how can I enter the API-KEY from my settings into the WebUI? The input option is only displayed if I have not set such a KEY.

If a API-KEY is set in my environment settings, I get the error message

{"message": "Authorization header missing"}

EDIT:

curl -X GET "https://localai/v1/models" -H "Authorization: Bearer sk-my-api-key"|jq

works with the correct key, otherwise "Invalid API key"

localai-bot commented 2 months ago

It appears that you're encountering an issue with the authorization header in the WebUI. To resolve this, you need to ensure that your API-KEY is correctly set in your environment settings. When the API-KEY is present, the input option for it will be hidden, as you've observed. Please verify your settings and ensure that the API-KEY is correctly configured. If you continue to experience issues, feel free to reach out for further assistance. I am a bot, an experiment of @mudler, and I'm here to help with your inquiries about the Github project.

fakezeta commented 2 months ago

Hi, if you mean how you can access the Web-UI with the browser I solved with Requestly browser extension.

Following a config example Screenshot 2024-05-03 at 18-21-26 Requestly - Lightweight Proxy to Intercept Modify HTTP(s) requests

AlexM4H commented 2 months ago

Thanks for your workaround. I use ModHeader instead. It works well. But it's a bug, right?

Jordanb716 commented 1 month ago

I have this issue as well. Using the latest Docker image (v2.15.0-cublas-cuda12-ffmpeg), if $LOCALAI_API_KEY is set I only get "Authorization header missing" when I try to access the webui. Works perfectly if not set.

pmarini-nc commented 1 month ago

I also think it is a bug. Can a maintainer confirm this? Thanks!

AlexM4H commented 3 weeks ago

Any updates? We have a workaround for this error, but no fix yet.

mudler commented 1 week ago

That's not a bug - the WebUI is served by the API and, does not support specifying an API KEY on the first place for all the calls. As it exposes outside confidential informations, it is gated for security purposes by the API_KEY entirely. As @fakezeta mentioned there are browser plugins to prefix calls with a bearer token that can be used to access the webui.

As there is no user authentication, nor the WebUI supports settings API Keys across all the application, the safest route is to put the whole UI behind an API KEY as it could leak sensitive informations.

If you think there is room for improvement, please create a ticket suggesting a solution - but I'm not really into plugging a user/auth system to LocalAI. We can think to have the WebUI to setup the token when accessed at first, but that's an enhancement, not a bug. Referencing #2156 for better visibility.