feat: support for configuring private api key use

2025-06-26 18:26:48 +00:00 · 2024-11-19 16:14:52 +02:00
parent 5c4124ebe5
commit 979e6e5a79
7 changed files with 111 additions and 81 deletions
--- a/backend/open_webui/apps/webui/routers/auths.py
+++ b/backend/open_webui/apps/webui/routers/auths.py
@@ -18,9 +18,10 @@ from open_webui.apps.webui.models.auths import (
    UserResponse,
 )
 from open_webui.apps.webui.models.users import Users
-from open_webui.config import WEBUI_AUTH
+from open_webui.config import ENABLE_API_KEY_AUTH
 from open_webui.constants import ERROR_MESSAGES, WEBHOOK_MESSAGES
 from open_webui.env import (
+    WEBUI_AUTH,
    WEBUI_AUTH_TRUSTED_EMAIL_HEADER,
    WEBUI_AUTH_TRUSTED_NAME_HEADER,
    WEBUI_SESSION_COOKIE_SAME_SITE,
@@ -734,6 +735,11 @@ async def update_ldap_config(
 # create api key
@router.post("/api_key", response_model=ApiKey)
 async def create_api_key_(user=Depends(get_current_user)):
+    if not ENABLE_API_KEY_AUTH:
+        raise HTTPException(
+            status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_CREATION_NOT_ALLOWED
+        )
+
    api_key = create_api_key()
    success = Users.update_user_api_key_by_id(user.id, api_key)
    if success:
--- a/backend/open_webui/config.py
+++ b/backend/open_webui/config.py
@@ -265,6 +265,10 @@ class AppConfig:
 # WEBUI_AUTH (Required for security)
 ####################################

+ENABLE_API_KEY_AUTH = (
+    os.environ.get("ENABLE_API_KEY_AUTH", "True").lower() == "true"
+)
+
 JWT_EXPIRES_IN = PersistentConfig(
    "JWT_EXPIRES_IN", "auth.jwt_expiry", os.environ.get("JWT_EXPIRES_IN", "-1")
 )
--- a/backend/open_webui/constants.py
+++ b/backend/open_webui/constants.py
@@ -62,6 +62,7 @@ class ERROR_MESSAGES(str, Enum):
    NOT_FOUND = "We could not find what you're looking for :/"
    USER_NOT_FOUND = "We could not find what you're looking for :/"
    API_KEY_NOT_FOUND = "Oops! It looks like there's a hiccup. The API key is missing. Please make sure to provide a valid API key to access this feature."
+    API_KEY_NOT_ALLOWED = "Use of API key is not enabled in the environment."

    MALICIOUS = "Unusual activities detected, please try again in a few minutes."

@@ -75,6 +76,7 @@ class ERROR_MESSAGES(str, Enum):
    OPENAI_NOT_FOUND = lambda name="": "OpenAI API was not found"
    OLLAMA_NOT_FOUND = "WebUI could not connect to Ollama"
    CREATE_API_KEY_ERROR = "Oops! Something went wrong while creating your API key. Please try again later. If the issue persists, contact support for assistance."
+    API_KEY_CREATION_NOT_ALLOWED = "API key creation is not allowed in the environment."

    EMPTY_CONTENT = "The content provided is empty. Please ensure that there is text or data present before proceeding."

--- a/backend/open_webui/main.py
+++ b/backend/open_webui/main.py
@@ -74,6 +74,7 @@ from open_webui.config import (
    ENABLE_ADMIN_EXPORT,
    ENABLE_OLLAMA_API,
    ENABLE_OPENAI_API,
+    ENABLE_API_KEY_AUTH,
    ENABLE_TAGS_GENERATION,
    ENV,
    FRONTEND_BUILD_DIR,
@@ -2427,6 +2428,7 @@ async def get_app_config(request: Request):
            "auth": WEBUI_AUTH,
            "auth_trusted_header": bool(webui_app.state.AUTH_TRUSTED_EMAIL_HEADER),
            "enable_ldap": webui_app.state.config.ENABLE_LDAP,
+            "enable_api_key_auth": ENABLE_API_KEY_AUTH,
            "enable_signup": webui_app.state.config.ENABLE_SIGNUP,
            "enable_login_form": webui_app.state.config.ENABLE_LOGIN_FORM,
            **(
--- a/backend/open_webui/utils/utils.py
+++ b/backend/open_webui/utils/utils.py
@@ -5,13 +5,11 @@ import jwt
 from datetime import UTC, datetime, timedelta
 from typing import Optional, Union, List, Dict

-
 from open_webui.apps.webui.models.users import Users

 from open_webui.constants import ERROR_MESSAGES
 from open_webui.env import WEBUI_SECRET_KEY

-
 from fastapi import Depends, HTTPException, Request, Response, status
 from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
 from passlib.context import CryptContext
@@ -75,10 +73,15 @@ def get_http_authorization_cred(auth_header: str):
    except Exception:
        raise ValueError(ERROR_MESSAGES.INVALID_TOKEN)

+def get_api_key_auth_config():
+    from open_webui.config import ENABLE_API_KEY_AUTH
+    return ENABLE_API_KEY_AUTH
+

 def get_current_user(
    request: Request,
    auth_token: HTTPAuthorizationCredentials = Depends(bearer_security),
+    api_key_auth_enabled: bool = Depends(get_api_key_auth_config)
 ):
    token = None

@@ -93,6 +96,10 @@ def get_current_user(

    # auth by api key
    if token.startswith("sk-"):
+        if not api_key_auth_enabled:
+            raise HTTPException(
+                status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED
+            )
        return get_current_user_by_api_key(token)

    # auth by jwt token