mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 06:03:26 -05:00
[PR #23637] [MERGED] fix: enforce API key endpoint restrictions on cookie-based authentication #42924
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/23637
Author: @Classic298
Created: 4/12/2026
Status: ✅ Merged
Merged: 4/12/2026
Merged by: @tjbck
Base:
dev← Head:fix/api-key-cookie-restriction-bypass📝 Commits (1)
d0f46b5fix: enforce API key endpoint restrictions at the auth layer, not middleware📊 Changes
2 files changed (+20 additions, -44 deletions)
View changed files
📝
backend/open_webui/main.py(+0 -44)📝
backend/open_webui/utils/auth.py(+20 -0)📄 Description
The APIKeyRestrictionMiddleware only inspected the Authorization header for sk- tokens, but get_current_user also reads API keys from cookies and x-api-key headers. This allowed complete bypass of endpoint restrictions by sending the key via an alternate transport.
Moves the restriction check into get_current_user_by_api_key so it runs regardless of how the API key was delivered. Removes the now-redundant middleware.
Contributor License Agreement
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.