(UI) - Security Improvement, move to JWT Auth for Admin UI Sessions (#8995)

* (UI) - Improvements to session handling logic (#8970) * add cookieUtils * use utils for clearing cookies * on logout use clearTokenCookies * ui use correct clearTokenCookies * navbar show userEmail on UserID page * add timestamp on token cookie * update generate_authenticated_redirect_response * use common getAuthToken * fix clearTokenCookies * fixes for get auth token * fix invitation link sign in logic * Revert "fix invitation link sign in logic" This reverts commit 30e5308cb3. * fix getAuthToken * update setAuthToken * fix ui session handling * fix ui session handler * bug fix stop generating LiteLLM Virtual keys for access * working JWT insert into cookies * use central place to build UI JWT token * add _validate_ui_token * fix ui session handler * fix fetchWithCredentials * check allowed routes for ui session tokens * expose validate_session endpoint * validate session endpoint * call sso/session/validate * getUISessionDetails * ui move to getUISessionDetails * /sso/session/validate * fix cookie utils * use getUISessionDetails * use ui_session_id * "/spend/logs/ui" in spend_tracking_routes * working sign in JWT flow for proxy admin * allow proxy admin to access ui routes * use check_route_access * update types * update login method * fixes to ui session handler * working flow for admin and internal users * fixes for invite links * use JWTs for SSO sign in * fix /invitation/new flow * fix code quality checks * fix _get_ui_session_token_from_cookies * /organization/list * ui sso sign in * TestUISessionHandler * TestUISessionHandler
2025-04-25 10:44:24 +00:00 · 2025-03-04 21:48:23 -08:00 · 2025-03-04 21:48:23 -08:00 · 01a44a4e47
commit 01a44a4e47
parent 42931638df
17 changed files with 1104 additions and 538 deletions
--- a/litellm/proxy/auth/user_api_key_auth.py
+++ b/litellm/proxy/auth/user_api_key_auth.py
@ -51,6 +51,7 @@ from litellm.proxy.auth.oauth2_proxy_hook import handle_oauth2_proxy_request
 from litellm.proxy.auth.route_checks import RouteChecks
 from litellm.proxy.auth.service_account_checks import service_account_checks
 from litellm.proxy.common_utils.http_parsing_utils import _read_request_body
+from litellm.proxy.management_helpers.ui_session_handler import UISessionHandler
 from litellm.proxy.utils import PrismaClient, ProxyLogging, _to_ns
 from litellm.types.services import ServiceTypes

@ -335,6 +336,7 @@ async def _user_api_key_auth_builder(  # noqa: PLR0915
            "pass_through_endpoints", None
        )
        passed_in_key: Optional[str] = None
+        cookie_token: Optional[str] = None
        if isinstance(api_key, str):
            passed_in_key = api_key
            api_key = _get_bearer_token(api_key=api_key)
@ -344,6 +346,10 @@ async def _user_api_key_auth_builder(  # noqa: PLR0915
            api_key = anthropic_api_key_header
        elif isinstance(google_ai_studio_api_key_header, str):
            api_key = google_ai_studio_api_key_header
+        elif cookie_token := UISessionHandler._get_ui_session_token_from_cookies(
+            request
+        ):
+            api_key = cookie_token
        elif pass_through_endpoints is not None:
            for endpoint in pass_through_endpoints:
                if endpoint.get("path", "") == route:
@ -420,7 +426,10 @@ async def _user_api_key_auth_builder(  # noqa: PLR0915
        if general_settings.get("enable_oauth2_proxy_auth", False) is True:
            return await handle_oauth2_proxy_request(request=request)

-        if general_settings.get("enable_jwt_auth", False) is True:
+        if (
+            general_settings.get("enable_jwt_auth", False) is True
+            or cookie_token is not None
+        ):
            from litellm.proxy.proxy_server import premium_user

            if premium_user is not True: