(fix) handle when users pass Malformed API Key

2025-04-27 11:43:54 +00:00 · 2024-02-01 16:29:50 -08:00 · 2024-02-01 16:29:50 -08:00 · edffc5fd0d
commit edffc5fd0d
parent 2902cb1d82
1 changed files with 6 additions and 8 deletions
--- a/litellm/proxy/proxy_server.py
+++ b/litellm/proxy/proxy_server.py
@ -277,14 +277,6 @@ async def user_api_key_auth(
            else:
                return UserAPIKeyAuth()

-        if api_key is None:
-            raise Exception("No API Key passed in. api_key is None")
-        if secrets.compare_digest(api_key, ""):
-            # missing 'Bearer ' prefix
-            raise Exception(
-                f"Malformed API Key passed in. Ensure Key has `Bearer ` prefix. Passed in: {passed_in_key}"
-            )
-
        route: str = request.url.path
        if route == "/user/auth":
            if general_settings.get("allow_user_auth", False) == True:
@ -310,6 +302,12 @@ async def user_api_key_auth(
        if api_key is None:  # only require api key if master key is set
            raise Exception(f"No api key passed in.")

+        if secrets.compare_digest(api_key, ""):
+            # missing 'Bearer ' prefix
+            raise Exception(
+                f"Malformed API Key passed in. Ensure Key has `Bearer ` prefix. Passed in: {passed_in_key}"
+            )
+
        # note: never string compare api keys, this is vulenerable to a time attack. Use secrets.compare_digest instead
        is_master_key_valid = secrets.compare_digest(api_key, master_key)
        if is_master_key_valid: