[PR #23637] [MERGED] fix: enforce API key endpoint restrictions on cookie-based authentication #27294

Closed
opened 2026-04-20 06:59:10 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/23637
Author: @Classic298
Created: 4/12/2026
Status: Merged
Merged: 4/12/2026
Merged by: @tjbck

Base: devHead: fix/api-key-cookie-restriction-bypass


📝 Commits (1)

  • d0f46b5 fix: enforce API key endpoint restrictions at the auth layer, not middleware

📊 Changes

2 files changed (+20 additions, -44 deletions)

View changed files

📝 backend/open_webui/main.py (+0 -44)
📝 backend/open_webui/utils/auth.py (+20 -0)

📄 Description

The APIKeyRestrictionMiddleware only inspected the Authorization header for sk- tokens, but get_current_user also reads API keys from cookies and x-api-key headers. This allowed complete bypass of endpoint restrictions by sending the key via an alternate transport.

Moves the restriction check into get_current_user_by_api_key so it runs regardless of how the API key was delivered. Removes the now-redundant middleware.

Contributor License Agreement

Note

Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/23637 **Author:** [@Classic298](https://github.com/Classic298) **Created:** 4/12/2026 **Status:** ✅ Merged **Merged:** 4/12/2026 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `fix/api-key-cookie-restriction-bypass` --- ### 📝 Commits (1) - [`d0f46b5`](https://github.com/open-webui/open-webui/commit/d0f46b5cf7c6101ee6ad1ebb84b1b06dd20938e4) fix: enforce API key endpoint restrictions at the auth layer, not middleware ### 📊 Changes **2 files changed** (+20 additions, -44 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/main.py` (+0 -44) 📝 `backend/open_webui/utils/auth.py` (+20 -0) </details> ### 📄 Description The APIKeyRestrictionMiddleware only inspected the Authorization header for sk- tokens, but get_current_user also reads API keys from cookies and x-api-key headers. This allowed complete bypass of endpoint restrictions by sending the key via an alternate transport. Moves the restriction check into get_current_user_by_api_key so it runs regardless of how the API key was delivered. Removes the now-redundant middleware. ### Contributor License Agreement <!-- 🚨 DO NOT DELETE THE TEXT BELOW 🚨 Keep the "Contributor License Agreement" confirmation text intact. Deleting it will trigger the CLA-Bot to INVALIDATE your PR. Your PR will NOT be reviewed or merged until you check the box below confirming that you have read and agree to the terms of the CLA. --> - [X] By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. > [!NOTE] > Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-20 06:59:10 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#27294