Padmanav commited on
Commit
77d31c7
·
1 Parent(s): 3e3d958

fix: reject requests when API_KEY env var is not configured

Browse files

Empty api_key was silently bypassing authentication. Now raises
RuntimeError on startup-time misconfiguration rather than allowing
unauthenticated access.

Files changed (2) hide show
  1. app/api/dependencies.py +3 -1
  2. app/core/config.py +1 -0
app/api/dependencies.py CHANGED
@@ -5,7 +5,9 @@ settings = get_settings()
5
 
6
 
7
  def verify_api_key(x_api_key: str = Header(...)):
8
- if settings.api_key and x_api_key != settings.api_key:
 
 
9
  raise HTTPException(
10
  status_code=status.HTTP_401_UNAUTHORIZED,
11
  detail="Invalid or missing API key"
 
5
 
6
 
7
  def verify_api_key(x_api_key: str = Header(...)):
8
+ if not settings.api_key:
9
+ raise RuntimeError("API_KEY environment variable is not set")
10
+ if x_api_key != settings.api_key:
11
  raise HTTPException(
12
  status_code=status.HTTP_401_UNAUTHORIZED,
13
  detail="Invalid or missing API key"
app/core/config.py CHANGED
@@ -10,6 +10,7 @@ class Settings(BaseSettings):
10
 
11
  # Set OPENROUTER_API_KEY as a HF Space Secret
12
  openrouter_api_key: str = ""
 
13
  llm_model: str = "meta-llama/llama-3.3-70b-instruct"
14
 
15
  app_env: str = "production"
 
10
 
11
  # Set OPENROUTER_API_KEY as a HF Space Secret
12
  openrouter_api_key: str = ""
13
+ api_key: str = ""
14
  llm_model: str = "meta-llama/llama-3.3-70b-instruct"
15
 
16
  app_env: str = "production"