From 3fa3a767b3052313771eb44b6fe8ffa44f223826 Mon Sep 17 00:00:00 2001 From: David Manouchehri Date: Fri, 24 Nov 2023 11:59:00 -0500 Subject: [PATCH 1/3] Fix OpenAPI auth spec. --- litellm/proxy/proxy_server.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/litellm/proxy/proxy_server.py b/litellm/proxy/proxy_server.py index fbeca71112..701d2ab842 100644 --- a/litellm/proxy/proxy_server.py +++ b/litellm/proxy/proxy_server.py @@ -88,7 +88,7 @@ from fastapi.routing import APIRouter from fastapi.encoders import jsonable_encoder from fastapi.responses import StreamingResponse, FileResponse from fastapi.middleware.cors import CORSMiddleware -from fastapi.security import OAuth2PasswordBearer +from fastapi.security.api_key import APIKeyHeader import json import logging # from litellm.proxy.queue import start_rq_worker_in_background @@ -115,7 +115,6 @@ user_telemetry = True user_config = None user_headers = None local_logging = True # writes logs to a local api_log.json file for debugging -oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token") experimental = False #### GLOBAL VARIABLES #### llm_router: Optional[litellm.Router] = None @@ -145,14 +144,15 @@ def usage_telemetry( target=litellm.utils.litellm_telemetry, args=(data,), daemon=True ).start() -async def user_api_key_auth(request: Request): +api_key_header = APIKeyHeader(name="Authorization", auto_error=False) + +async def user_api_key_auth(request: Request, api_key: str = fastapi.Security(api_key_header)): global master_key, prisma_client, llm_model_list if master_key is None: return try: - api_key = await oauth2_scheme(request=request) route = request.url.path - if api_key == master_key: + if api_key == master_key or api_key == "Bearer " + master_key: return if (route == "/key/generate" or route == "/key/delete") and api_key != master_key: From 5b6f2271701399039c53d85df7de88815762a9f1 Mon Sep 17 00:00:00 2001 From: David Manouchehri Date: Fri, 24 Nov 2023 12:03:16 -0500 Subject: [PATCH 2/3] Fix master key check. --- litellm/proxy/proxy_server.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/litellm/proxy/proxy_server.py b/litellm/proxy/proxy_server.py index 701d2ab842..9ea6993ab2 100644 --- a/litellm/proxy/proxy_server.py +++ b/litellm/proxy/proxy_server.py @@ -155,7 +155,7 @@ async def user_api_key_auth(request: Request, api_key: str = fastapi.Security(ap if api_key == master_key or api_key == "Bearer " + master_key: return - if (route == "/key/generate" or route == "/key/delete") and api_key != master_key: + if (route == "/key/generate" or route == "/key/delete") and not (api_key == master_key or api_key == "Bearer " + master_key): raise Exception(f"If master key is set, only master key can be used to generate new keys") if prisma_client: From ac08e3616c270973b9540f3393afe263eecdcc2f Mon Sep 17 00:00:00 2001 From: David Manouchehri Date: Fri, 24 Nov 2023 12:12:29 -0500 Subject: [PATCH 3/3] Fix timing attack on master_key. --- litellm/proxy/proxy_server.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/litellm/proxy/proxy_server.py b/litellm/proxy/proxy_server.py index 9ea6993ab2..eb21384848 100644 --- a/litellm/proxy/proxy_server.py +++ b/litellm/proxy/proxy_server.py @@ -152,10 +152,11 @@ async def user_api_key_auth(request: Request, api_key: str = fastapi.Security(ap return try: route = request.url.path - if api_key == master_key or api_key == "Bearer " + master_key: + is_master_key_valid = secrets.compare_digest(api_key, master_key) or secrets.compare_digest(api_key == "Bearer " + master_key) + if is_master_key_valid: return - if (route == "/key/generate" or route == "/key/delete") and not (api_key == master_key or api_key == "Bearer " + master_key): + if (route == "/key/generate" or route == "/key/delete") and not is_master_key_valid: raise Exception(f"If master key is set, only master key can be used to generate new keys") if prisma_client: