fix(auth): enforce features.api_keys permission on GET and DELETE /api_key endpoints (#25992)

This commit is contained in:
G30
2026-06-16 16:48:44 -04:00
committed by GitHub
parent dc4924b66e
commit bb66d435b7

View File

@@ -1237,20 +1237,26 @@ async def update_ldap_config(request: Request, form_data: LdapConfigForm, user=D
############################
# create api key
@router.post('/api_key', response_model=ApiKey)
async def generate_api_key(
request: Request, user=Depends(get_current_user), db: AsyncSession = Depends(get_async_session)
):
async def _check_api_key_permission(request: Request, user, db: AsyncSession):
if not request.app.state.config.ENABLE_API_KEYS or (
user.role != 'admin'
and not await has_permission(user.id, 'features.api_keys', request.app.state.config.USER_PERMISSIONS)
and not await has_permission(
user.id, 'features.api_keys', request.app.state.config.USER_PERMISSIONS, db=db
)
):
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail=ERROR_MESSAGES.API_KEY_CREATION_NOT_ALLOWED,
)
# create api key
@router.post('/api_key', response_model=ApiKey)
async def generate_api_key(
request: Request, user=Depends(get_current_user), db: AsyncSession = Depends(get_async_session)
):
await _check_api_key_permission(request, user, db)
api_key = create_api_key()
success = await Users.update_user_api_key_by_id(user.id, api_key, db=db)
@@ -1264,13 +1270,19 @@ async def generate_api_key(
# delete api key
@router.delete('/api_key', response_model=bool)
async def delete_api_key(user=Depends(get_current_user), db: AsyncSession = Depends(get_async_session)):
async def delete_api_key(
request: Request, user=Depends(get_current_user), db: AsyncSession = Depends(get_async_session)
):
await _check_api_key_permission(request, user, db)
return await Users.delete_user_api_key_by_id(user.id, db=db)
# get api key
@router.get('/api_key', response_model=ApiKey)
async def get_api_key(user=Depends(get_current_user), db: AsyncSession = Depends(get_async_session)):
async def get_api_key(
request: Request, user=Depends(get_current_user), db: AsyncSession = Depends(get_async_session)
):
await _check_api_key_permission(request, user, db)
api_key = await Users.get_user_api_key_by_id(user.id, db=db)
if api_key:
return {