(proxy) - Auth fix, ensure re-using safe request body for checking model field (#7222)

* litellm fix auth check * fix _read_request_body * test_auth_with_form_data_and_model * fix auth check * fix _read_request_body * fix _safe_get_request_headers
2025-04-27 11:43:54 +00:00 · 2024-12-14 12:01:25 -08:00 · 2024-12-14 12:01:25 -08:00 · 9432812c90
commit 9432812c90
parent ec36353b41
3 changed files with 87 additions and 16 deletions
--- a/litellm/proxy/auth/user_api_key_auth.py
+++ b/litellm/proxy/auth/user_api_key_auth.py
@ -899,12 +899,10 @@ async def user_api_key_auth(  # noqa: PLR0915
                # the validation will occur when checking the team has access to this model
                pass
            else:
-                try:
-                    data = await request.json()
-                except json.JSONDecodeError:
-                    data = {}  # Provide a default value, such as an empty dictionary
-                model = data.get("model", None)
-                fallback_models: Optional[List[str]] = data.get("fallbacks", None)
+                model = request_data.get("model", None)
+                fallback_models: Optional[List[str]] = request_data.get(
+                    "fallbacks", None
+                )

                if model is not None:
                    await can_key_call_model(
--- a/litellm/proxy/common_utils/http_parsing_utils.py
+++ b/litellm/proxy/common_utils/http_parsing_utils.py
@ -21,19 +21,23 @@ async def _read_request_body(request: Optional[Request]) -> Dict:
    try:
        if request is None:
            return {}
+        _request_headers: dict = _safe_get_request_headers(request=request)
+        content_type = _request_headers.get("content-type", "")
+        if "form" in content_type:
+            return dict(await request.form())
+        else:
+            # Read the request body
+            body = await request.body()

-        # Read the request body
-        body = await request.body()
+            # Return empty dict if body is empty or None
+            if not body:
+                return {}

-        # Return empty dict if body is empty or None
-        if not body:
-            return {}
+            # Decode the body to a string
+            body_str = body.decode()

-        # Decode the body to a string
-        body_str = body.decode()
-
-        # Attempt JSON parsing (safe for untrusted input)
-        return json.loads(body_str)
+            # Attempt JSON parsing (safe for untrusted input)
+            return json.loads(body_str)

    except json.JSONDecodeError:
        # Log detailed information for debugging
@ -48,6 +52,21 @@ async def _read_request_body(request: Optional[Request]) -> Dict:
        return {}


+def _safe_get_request_headers(request: Optional[Request]) -> dict:
+    """
+    [Non-Blocking] Safely get the request headers
+    """
+    try:
+        if request is None:
+            return {}
+        return dict(request.headers)
+    except Exception as e:
+        verbose_proxy_logger.exception(
+            "Unexpected error reading request headers - {}".format(e)
+        )
+        return {}
+
+
 def check_file_size_under_limit(
    request_data: dict,
    file: UploadFile,