fix(proxy_server.py): check if team scope in jwt

2025-04-26 11:14:04 +00:00 · 2024-03-26 14:01:02 -07:00 · 2024-03-26 14:01:02 -07:00 · d90f44fe8e
commit d90f44fe8e
parent 4d7f4550e2
2 changed files with 11 additions and 0 deletions
--- a/litellm/proxy/auth/handle_jwt.py
+++ b/litellm/proxy/auth/handle_jwt.py
@ -85,6 +85,11 @@ class JWTHandler:
            return True
        return False

+    def is_team(self, scopes: list) -> bool:
+        if self.litellm_proxy_roles.team_jwt_scope in scopes:
+            return True
+        return False
+
    def get_end_user_id(self, token: dict, default_value: Optional[str]) -> str:
        try:
            if self.litellm_proxy_roles.team_id_jwt_field is not None:
--- a/litellm/proxy/proxy_server.py
+++ b/litellm/proxy/proxy_server.py
@ -390,6 +390,12 @@ async def user_api_key_auth(
                        raise Exception(
                            f"Admin not allowed to access this route. Route={route}, Allowed Routes={actual_routes}"
                        )
+                # check if team in scopes
+                is_team = jwt_handler.is_team(scopes=scopes)
+                if is_team == False:
+                    raise Exception(
+                        f"Missing both Admin and Team scopes from token. Either is required. Admin Scope={jwt_handler.litellm_proxy_roles.admin_jwt_scope}, Team Scope={jwt_handler.litellm_proxy_roles.team_jwt_scope}"
+                    )
                # get team id
                team_id = jwt_handler.get_team_id(token=valid_token, default_value=None)