Files
open-webui/backend/open_webui
Classic298 83024d00bb fix: enforce API key endpoint restrictions at the auth layer, not middleware (#23637)
The APIKeyRestrictionMiddleware only inspected the Authorization header for sk- tokens, but get_current_user also reads API keys from cookies and x-api-key headers. This allowed complete bypass of endpoint restrictions by sending the key via an alternate transport.

Moves the restriction check into get_current_user_by_api_key so it runs regardless of how the API key was delivered. Removes the now-redundant middleware.
2026-04-12 16:33:41 -05:00
..
2026-04-12 14:22:11 -05:00
2026-04-01 18:26:46 -05:00
2026-04-12 14:22:11 -05:00
2026-04-12 14:22:11 -05:00
2026-03-23 23:39:52 -05:00
2026-04-12 12:36:21 -05:00
2026-03-17 17:58:01 -05:00
2026-04-12 14:39:23 -05:00
2026-03-24 15:41:26 -05:00
2026-04-11 17:06:58 -06:00
2026-03-25 17:29:57 -05:00
2026-04-12 16:25:01 -05:00
2026-04-12 14:22:11 -05:00
2026-03-17 17:58:01 -05:00