Files
open-webui/backend/open_webui/utils
Classic298 83024d00bb fix: enforce API key endpoint restrictions at the auth layer, not middleware (#23637)
The APIKeyRestrictionMiddleware only inspected the Authorization header for sk- tokens, but get_current_user also reads API keys from cookies and x-api-key headers. This allowed complete bypass of endpoint restrictions by sending the key via an alternate transport.

Moves the restriction check into get_current_user_by_api_key so it runs regardless of how the API key was delivered. Removes the now-redundant middleware.
2026-04-12 16:33:41 -05:00
..
2026-04-12 14:22:11 -05:00
2026-03-17 17:58:01 -05:00
2026-04-12 14:22:11 -05:00
2026-04-12 14:22:11 -05:00
2026-04-12 14:22:11 -05:00
2026-03-17 17:58:01 -05:00
2026-04-12 16:25:01 -05:00
2026-04-12 14:22:11 -05:00
2026-03-17 17:58:01 -05:00
2026-04-12 14:22:11 -05:00
2026-03-17 17:58:01 -05:00
2026-04-12 14:22:11 -05:00
2026-04-12 14:22:11 -05:00
2026-04-12 14:22:11 -05:00
2026-04-12 14:22:11 -05:00
2026-03-17 17:58:01 -05:00
2026-04-10 10:15:55 -07:00
2026-04-12 14:22:11 -05:00
2026-04-12 14:22:11 -05:00
2026-04-12 14:22:11 -05:00
2026-03-24 04:49:48 -05:00
2026-03-17 17:58:01 -05:00
2026-04-12 14:22:11 -05:00
2026-03-17 17:58:01 -05:00
2026-04-12 14:22:11 -05:00
2026-03-24 04:49:48 -05:00
2026-03-17 17:58:01 -05:00
2026-03-17 17:58:01 -05:00
2026-04-12 14:22:11 -05:00
2026-04-02 08:11:06 -05:00
2026-03-24 04:49:48 -05:00