search

open-webui / pipelines

Pipelines: Versatile, UI-Agnostic OpenAI-Compatible Plugin Framework
MIT License
956 stars 300 forks source link

fix: protect endpoints with auth API key #127

Open franciscovelez opened 4 months ago

franciscovelez commented 4 months ago

I've just noticed that some endpoints in this project are not protected, so any person with the URL can make calls to /chat/completions, for instance, without knowing the API key. I've created a new FastAPI dependency function that check if a valid API key has been provided (get_current_user_or_abort) and added it to each endpoint.

jabbasj commented 3 months ago

@franciscovelez The following quick change basically ensured that API key is validated for the completion endpoint:

@app.post("/v1/chat/completions")
@app.post("/chat/completions")
async def generate_openai_chat_completion(form_data: OpenAIChatCompletionForm, user: str = Depends(get_current_user)):

    if user != API_KEY:
        raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
                detail="Invalid API key",
            )

This doesn't meet your need?

franciscovelez commented 3 months ago

@jabbasj Of course this quick change solves the problem for that endpoint but I still think that we can take advantage of the injection system provided by FastAPI, create a function that performs those checks and reuse it (Don't Repeat Yourself principle).