From bb66d435b7dad5db95683f35173741bf1adc8aa3 Mon Sep 17 00:00:00 2001 From: G30 <50341825+silentoplayz@users.noreply.github.com> Date: Tue, 16 Jun 2026 16:48:44 -0400 Subject: [PATCH] fix(auth): enforce features.api_keys permission on GET and DELETE /api_key endpoints (#25992) --- backend/open_webui/routers/auths.py | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/backend/open_webui/routers/auths.py b/backend/open_webui/routers/auths.py index 434a6349de..5b4ec857a4 100644 --- a/backend/open_webui/routers/auths.py +++ b/backend/open_webui/routers/auths.py @@ -1237,20 +1237,26 @@ async def update_ldap_config(request: Request, form_data: LdapConfigForm, user=D ############################ -# create api key -@router.post('/api_key', response_model=ApiKey) -async def generate_api_key( - request: Request, user=Depends(get_current_user), db: AsyncSession = Depends(get_async_session) -): +async def _check_api_key_permission(request: Request, user, db: AsyncSession): if not request.app.state.config.ENABLE_API_KEYS or ( user.role != 'admin' - and not await has_permission(user.id, 'features.api_keys', request.app.state.config.USER_PERMISSIONS) + and not await has_permission( + user.id, 'features.api_keys', request.app.state.config.USER_PERMISSIONS, db=db + ) ): raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_CREATION_NOT_ALLOWED, ) + +# create api key +@router.post('/api_key', response_model=ApiKey) +async def generate_api_key( + request: Request, user=Depends(get_current_user), db: AsyncSession = Depends(get_async_session) +): + await _check_api_key_permission(request, user, db) + api_key = create_api_key() success = await Users.update_user_api_key_by_id(user.id, api_key, db=db) @@ -1264,13 +1270,19 @@ async def generate_api_key( # delete api key @router.delete('/api_key', response_model=bool) -async def delete_api_key(user=Depends(get_current_user), db: AsyncSession = Depends(get_async_session)): +async def delete_api_key( + request: Request, user=Depends(get_current_user), db: AsyncSession = Depends(get_async_session) +): + await _check_api_key_permission(request, user, db) return await Users.delete_user_api_key_by_id(user.id, db=db) # get api key @router.get('/api_key', response_model=ApiKey) -async def get_api_key(user=Depends(get_current_user), db: AsyncSession = Depends(get_async_session)): +async def get_api_key( + request: Request, user=Depends(get_current_user), db: AsyncSession = Depends(get_async_session) +): + await _check_api_key_permission(request, user, db) api_key = await Users.get_user_api_key_by_id(user.id, db=db) if api_key: return {