[PR #12433] [MERGED] fix: API Key Endpoint Restrictions for Dynamic Paths #22912

New Issue

GiteaMirror · 2026-04-20T04:29:11-05:00

GiteaMirror commented

2026-04-20 04:29:11 -05:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/12433
Author: @gaby
Created: 4/4/2025
Status: ✅ Merged
Merged: 4/4/2025
Merged by: @tjbck

Base: dev ← Head: fix-allowed-endpoints

📝 Commits (1)

1c57e3e Fix API_KEY_ALLOWED_ENDPOINTS

📊 Changes

1 file changed (+5 additions, -1 deletions)

View changed files

📝 backend/open_webui/utils/auth.py (+5 -1)

📄 Description

Description

This pull request addresses an issue where API key authentication was failing for endpoints with dynamic path segments. Previously, the allowed endpoint configuration was based on strict string equality, which meant that if an allowed endpoint was set to GET /api/v1/files, any request to a dynamic endpoint like GET /api/v1/files/{id} would not match and would be incorrectly rejected.

Fixed / Changed

Enhanced Path Matching: Updated the endpoint check logic to iterate over all allowed endpoints using any().
Support for Dynamic Routes: The updated logic now checks if the request path either exactly matches an allowed endpoint or starts with the allowed endpoint followed by a /. This ensures that endpoints such as /api/v1/files/123 correctly pass the check when /api/v1/files is allowed.

Reasoning:

We ran into this issue after using the ENABLE_API_KEY_ENDPOINT_RESTRICTIONS feature. We added /api/v1/files, and /api/v1/files/ to the allowed list, but users couldn't call any of the dynamic routes like /api/v1/files/{id}.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/12433 **Author:** [@gaby](https://github.com/gaby) **Created:** 4/4/2025 **Status:** ✅ Merged **Merged:** 4/4/2025 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `fix-allowed-endpoints` --- ### 📝 Commits (1) - [`1c57e3e`](https://github.com/open-webui/open-webui/commit/1c57e3e02c11fdc606988dea2e188dbf8cd59c63) Fix API_KEY_ALLOWED_ENDPOINTS ### 📊 Changes **1 file changed** (+5 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/utils/auth.py` (+5 -1) </details> ### 📄 Description ### Description - This pull request addresses an issue where API key authentication was failing for endpoints with dynamic path segments. Previously, the allowed endpoint configuration was based on strict string equality, which meant that if an allowed endpoint was set to `GET /api/v1/files`, any request to a dynamic endpoint like `GET /api/v1/files/{id}` would not match and would be incorrectly rejected. ### Fixed / Changed - Enhanced Path Matching: Updated the endpoint check logic to iterate over all allowed endpoints using any(). - Support for Dynamic Routes: The updated logic now checks if the request path either exactly matches an allowed endpoint or starts with the allowed endpoint followed by a /. This ensures that endpoints such as /api/v1/files/123 correctly pass the check when /api/v1/files is allowed. ### Reasoning: - We ran into this issue after using the `ENABLE_API_KEY_ENDPOINT_RESTRICTIONS` feature. We added `/api/v1/files`, and `/api/v1/files/` to the allowed list, but users couldn't call any of the dynamic routes like `/api/v1/files/{id}`. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-20 04:29:11 -05:00

GiteaMirror closed this issue

2026-04-20 04:29:12 -05:00

GiteaMirror referenced this issue

2026-04-20 06:46:27 -05:00

[PR #22912] [MERGED] fix: reset page to 1 when searching prompts #26925

GiteaMirror referenced this issue

2026-04-25 14:25:04 -05:00

[PR #22912] [MERGED] fix: reset page to 1 when searching prompts #42555

GiteaMirror referenced this issue

2026-04-30 02:25:35 -05:00

[PR #22912] [MERGED] fix: reset page to 1 when searching prompts #49973