Files
open-webui/backend
Classic298 83024d00bb fix: enforce API key endpoint restrictions at the auth layer, not middleware (#23637)
The APIKeyRestrictionMiddleware only inspected the Authorization header for sk- tokens, but get_current_user also reads API keys from cookies and x-api-key headers. This allowed complete bypass of endpoint restrictions by sending the key via an alternate transport.

Moves the restriction check into get_current_user_by_api_key so it runs regardless of how the API key was delivered. Removes the now-redundant middleware.
2026-04-12 16:33:41 -05:00
..
2026-03-24 19:43:30 -05:00
2026-04-12 14:22:11 -05:00
2026-04-12 14:22:11 -05:00
2026-03-24 19:43:30 -05:00
2026-03-24 19:43:30 -05:00