From 72b085e19ecf7dd8c1bd005a8a821f68e4454388 Mon Sep 17 00:00:00 2001 From: yangdx Date: Tue, 25 Mar 2025 11:47:52 +0800 Subject: [PATCH] Refactor authentication logic and update API version. --- lightrag/api/__init__.py | 2 +- lightrag/api/utils_api.py | 85 +++++++++++++++++---------------------- 2 files changed, 37 insertions(+), 50 deletions(-) diff --git a/lightrag/api/__init__.py b/lightrag/api/__init__.py index 8967cb32..972fb714 100644 --- a/lightrag/api/__init__.py +++ b/lightrag/api/__init__.py @@ -1 +1 @@ -__api_version__ = "1.2.3" +__api_version__ = "1.2.5" diff --git a/lightrag/api/utils_api.py b/lightrag/api/utils_api.py index ed1444ad..0541fd59 100644 --- a/lightrag/api/utils_api.py +++ b/lightrag/api/utils_api.py @@ -100,34 +100,7 @@ def get_combined_auth_dependency(api_key: Optional[str] = None): ): return # Whitelist path, allow access - # 2. Check for special endpoints (/health and Ollama API) - is_special_endpoint = path == "/health" or path.startswith("/api/") - if is_special_endpoint and not api_key_configured: - return # Special endpoint and no API key configured, allow access - - # 3. Validate API key if provided - if ( - api_key_configured - and api_key_header_value - and api_key_header_value == api_key - ): - return # API key validation successful - - # 4. /health and Ollama API only accept API key validation - if api_key_configured and is_special_endpoint: - # Special endpoint but API key validation failed, return 403 error - if api_key_header_value: - raise HTTPException( - status_code=HTTP_403_FORBIDDEN, - detail="Invalid API Key", - ) - else: - raise HTTPException( - status_code=HTTP_403_FORBIDDEN, - detail="API Key required", - ) - - # 5. Validate token if provided + # 2. Validate token first if provided in the request (Ensure 401 error if token is invalid) if token: try: token_info = auth_handler.validate_token(token) @@ -149,33 +122,47 @@ def get_combined_auth_dependency(api_key: Optional[str] = None): raise # For other exceptions, continue processing - # If token exists but validation failed (didn't return above), return 401 - raise HTTPException( - status_code=status.HTTP_401_UNAUTHORIZED, - detail="Invalid token. Please login again.", - ) - - # 5. Acept all if no API protection needed + # 3. Acept all request if no API protection needed if not auth_configured and not api_key_configured: return - # 5. Otherwise: refuse access and return 403 error - if api_key_configured: - if api_key_header_value is None: - raise HTTPException( - status_code=HTTP_403_FORBIDDEN, - detail="API Key required or login authentication required.", - ) - else: - raise HTTPException( - status_code=HTTP_403_FORBIDDEN, - detail="Invalid API Key or login authentication required.", - ) - else: + # 4. Validate API key if provided and API-Key authentication is configured + if ( + api_key_configured + and api_key_header_value + and api_key_header_value == api_key + ): + return # API key validation successful + + ### Authentication failed #### + + # if password authentication is configured but not provided, ensure 401 error if auth_configured + if auth_configured and not token: raise HTTPException( - status_code=HTTP_403_FORBIDDEN, detail="Login authentication required." + status_code=status.HTTP_401_UNAUTHORIZED, + detail="No credentials provided. Please login.", ) + # if api key is provided but validation failed + if api_key_header_value: + raise HTTPException( + status_code=HTTP_403_FORBIDDEN, + detail="Invalid API Key", + ) + + # if api_key_configured but not provided + if api_key_configured and not api_key_header_value: + raise HTTPException( + status_code=HTTP_403_FORBIDDEN, + detail="API Key required", + ) + + # Otherwise: refuse access and return 403 error + raise HTTPException( + status_code=HTTP_403_FORBIDDEN, + detail="API Key required or login authentication required.", + ) + return combined_dependency