From 979e6e5a79252d402d01a7d7aa380cdc8f78f5f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antti=20Pyykk=C3=B6nen?= Date: Tue, 19 Nov 2024 16:14:52 +0200 Subject: [PATCH] feat: support for configuring private api key use --- .../open_webui/apps/webui/routers/auths.py | 8 +- backend/open_webui/config.py | 4 + backend/open_webui/constants.py | 2 + backend/open_webui/main.py | 2 + backend/open_webui/utils/utils.py | 11 +- .../components/chat/Settings/Account.svelte | 164 +++++++++--------- src/lib/stores/index.ts | 1 + 7 files changed, 111 insertions(+), 81 deletions(-) diff --git a/backend/open_webui/apps/webui/routers/auths.py b/backend/open_webui/apps/webui/routers/auths.py index d3592f03b..ba0af2370 100644 --- a/backend/open_webui/apps/webui/routers/auths.py +++ b/backend/open_webui/apps/webui/routers/auths.py @@ -18,9 +18,10 @@ from open_webui.apps.webui.models.auths import ( UserResponse, ) from open_webui.apps.webui.models.users import Users -from open_webui.config import WEBUI_AUTH +from open_webui.config import ENABLE_API_KEY_AUTH from open_webui.constants import ERROR_MESSAGES, WEBHOOK_MESSAGES from open_webui.env import ( + WEBUI_AUTH, WEBUI_AUTH_TRUSTED_EMAIL_HEADER, WEBUI_AUTH_TRUSTED_NAME_HEADER, WEBUI_SESSION_COOKIE_SAME_SITE, @@ -734,6 +735,11 @@ async def update_ldap_config( # create api key @router.post("/api_key", response_model=ApiKey) async def create_api_key_(user=Depends(get_current_user)): + if not ENABLE_API_KEY_AUTH: + raise HTTPException( + status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_CREATION_NOT_ALLOWED + ) + api_key = create_api_key() success = Users.update_user_api_key_by_id(user.id, api_key) if success: diff --git a/backend/open_webui/config.py b/backend/open_webui/config.py index c33895396..0a36b8c7c 100644 --- a/backend/open_webui/config.py +++ b/backend/open_webui/config.py @@ -265,6 +265,10 @@ class AppConfig: # WEBUI_AUTH (Required for security) #################################### +ENABLE_API_KEY_AUTH = ( + os.environ.get("ENABLE_API_KEY_AUTH", "True").lower() == "true" +) + JWT_EXPIRES_IN = PersistentConfig( "JWT_EXPIRES_IN", "auth.jwt_expiry", os.environ.get("JWT_EXPIRES_IN", "-1") ) diff --git a/backend/open_webui/constants.py b/backend/open_webui/constants.py index d6f33af4a..9c7d6f9e9 100644 --- a/backend/open_webui/constants.py +++ b/backend/open_webui/constants.py @@ -62,6 +62,7 @@ class ERROR_MESSAGES(str, Enum): NOT_FOUND = "We could not find what you're looking for :/" USER_NOT_FOUND = "We could not find what you're looking for :/" API_KEY_NOT_FOUND = "Oops! It looks like there's a hiccup. The API key is missing. Please make sure to provide a valid API key to access this feature." + API_KEY_NOT_ALLOWED = "Use of API key is not enabled in the environment." MALICIOUS = "Unusual activities detected, please try again in a few minutes." @@ -75,6 +76,7 @@ class ERROR_MESSAGES(str, Enum): OPENAI_NOT_FOUND = lambda name="": "OpenAI API was not found" OLLAMA_NOT_FOUND = "WebUI could not connect to Ollama" CREATE_API_KEY_ERROR = "Oops! Something went wrong while creating your API key. Please try again later. If the issue persists, contact support for assistance." + API_KEY_CREATION_NOT_ALLOWED = "API key creation is not allowed in the environment." EMPTY_CONTENT = "The content provided is empty. Please ensure that there is text or data present before proceeding." diff --git a/backend/open_webui/main.py b/backend/open_webui/main.py index 04c86395a..94d766f65 100644 --- a/backend/open_webui/main.py +++ b/backend/open_webui/main.py @@ -74,6 +74,7 @@ from open_webui.config import ( ENABLE_ADMIN_EXPORT, ENABLE_OLLAMA_API, ENABLE_OPENAI_API, + ENABLE_API_KEY_AUTH, ENABLE_TAGS_GENERATION, ENV, FRONTEND_BUILD_DIR, @@ -2427,6 +2428,7 @@ async def get_app_config(request: Request): "auth": WEBUI_AUTH, "auth_trusted_header": bool(webui_app.state.AUTH_TRUSTED_EMAIL_HEADER), "enable_ldap": webui_app.state.config.ENABLE_LDAP, + "enable_api_key_auth": ENABLE_API_KEY_AUTH, "enable_signup": webui_app.state.config.ENABLE_SIGNUP, "enable_login_form": webui_app.state.config.ENABLE_LOGIN_FORM, **( diff --git a/backend/open_webui/utils/utils.py b/backend/open_webui/utils/utils.py index 1c2205ebf..ef8dba1c2 100644 --- a/backend/open_webui/utils/utils.py +++ b/backend/open_webui/utils/utils.py @@ -5,13 +5,11 @@ import jwt from datetime import UTC, datetime, timedelta from typing import Optional, Union, List, Dict - from open_webui.apps.webui.models.users import Users from open_webui.constants import ERROR_MESSAGES from open_webui.env import WEBUI_SECRET_KEY - from fastapi import Depends, HTTPException, Request, Response, status from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer from passlib.context import CryptContext @@ -75,10 +73,15 @@ def get_http_authorization_cred(auth_header: str): except Exception: raise ValueError(ERROR_MESSAGES.INVALID_TOKEN) +def get_api_key_auth_config(): + from open_webui.config import ENABLE_API_KEY_AUTH + return ENABLE_API_KEY_AUTH + def get_current_user( request: Request, auth_token: HTTPAuthorizationCredentials = Depends(bearer_security), + api_key_auth_enabled: bool = Depends(get_api_key_auth_config) ): token = None @@ -93,6 +96,10 @@ def get_current_user( # auth by api key if token.startswith("sk-"): + if not api_key_auth_enabled: + raise HTTPException( + status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED + ) return get_current_user_by_api_key(token) # auth by jwt token diff --git a/src/lib/components/chat/Settings/Account.svelte b/src/lib/components/chat/Settings/Account.svelte index 5946744f9..5e3bef37b 100644 --- a/src/lib/components/chat/Settings/Account.svelte +++ b/src/lib/components/chat/Settings/Account.svelte @@ -2,7 +2,7 @@ import { toast } from 'svelte-sonner'; import { onMount, getContext } from 'svelte'; - import { user } from '$lib/stores'; + import { user, config } from '$lib/stores'; import { updateUserProfile, createAPIKey, getAPIKey } from '$lib/apis/auths'; import UpdatePassword from './Account/UpdatePassword.svelte'; @@ -27,6 +27,8 @@ let APIKey = ''; let APIKeyCopied = false; + $: enableApiKeyAuth = $config?.features.enable_api_key_auth ?? true; + let profileImageInputElement: HTMLInputElement; const submitHandler = async () => { @@ -306,90 +308,96 @@
{$i18n.t('API Key')}
-
- {#if APIKey} - + {#if !enableApiKeyAuth} +
+ {$i18n.t('Private API keys are disabled in this environment')} +
+ {:else} +
+ {#if APIKey} + - - - + + + + + {:else} + - - {:else} - - {/if} -
+ {$i18n.t('Create new secret key')} + {/if} +
+ {/if} {/if} diff --git a/src/lib/stores/index.ts b/src/lib/stores/index.ts index 0765c1c5c..8b2ea7b9d 100644 --- a/src/lib/stores/index.ts +++ b/src/lib/stores/index.ts @@ -172,6 +172,7 @@ type Config = { features: { auth: boolean; auth_trusted_header: boolean; + enable_api_key_auth: boolean; enable_signup: boolean; enable_login_form: boolean; enable_web_search?: boolean;