From a2366a20ba9e2fa0ec525b7ff586a4f7d9450833 Mon Sep 17 00:00:00 2001
From: Timothy Jaeryang Baek <tim@openwebui.com>
Date: Tue, 24 Dec 2024 23:32:34 -0700
Subject: [PATCH] refac: api key auth allowed paths

---
 backend/open_webui/utils/auth.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/backend/open_webui/utils/auth.py b/backend/open_webui/utils/auth.py
index e1a0ca671..6912938cf 100644
--- a/backend/open_webui/utils/auth.py
+++ b/backend/open_webui/utils/auth.py
@@ -95,6 +95,13 @@ def get_current_user(
             raise HTTPException(
                 status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED
             )
+
+        allowed_paths = ["/api/models", "/api/chat/completions"]
+        if request.url.path not in allowed_paths:
+            raise HTTPException(
+                status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED
+            )
+
         return get_current_user_by_api_key(token)
 
     # auth by jwt token