fix(team_endpoints.py): check if key belongs to team before returning /team/info

litellm/proxy/auth/handle_jwt.py

@@ -6,19 +6,21 @@ Currently only supports admin.
 JWT token must have 'litellm_proxy_admin' in scope. 
 """
 
-import jwt
 import json
 import os
-from litellm.caching import DualCache
-from litellm._logging import verbose_proxy_logger
-from litellm.proxy._types import LiteLLM_JWTAuth, LiteLLM_UserTable
-from litellm.proxy.utils import PrismaClient
-from litellm.llms.custom_httpx.httpx_handler import HTTPHandler
 from typing import Optional
+
+import jwt
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
 
+from litellm._logging import verbose_proxy_logger
+from litellm.caching import DualCache
+from litellm.llms.custom_httpx.httpx_handler import HTTPHandler
+from litellm.proxy._types import LiteLLM_JWTAuth, LiteLLM_UserTable
+from litellm.proxy.utils import PrismaClient
+
 
 class JWTHandler:
     """

litellm/proxy/management_endpoints/team_endpoints.py

@@ -713,6 +713,7 @@ async def team_info(
     team_id: str = fastapi.Query(
         default=None, description="Team ID in the request parameters"
     ),
+    user_api_key_dict: UserAPIKeyAuth = Depends(user_api_key_auth),
 ):
     """
     get info on team + related keys
@@ -747,6 +748,12 @@ async def team_info(
                 detail={"message": "Malformed request. No team id passed in."},
             )
 
+        if user_api_key_dict.team_id or (team_id != user_api_key_dict.team_id):
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="key not allowed to access this team's info",
+            )
+
         team_info = await prisma_client.get_data(
             team_id=team_id, table_name="team", query_type="find_unique"
         )