jprdonnelly/dify
1
0
Fork 0
mirror of https://github.com/langgenius/dify.git synced 2025-12-19 17:27:16 -05:00
Code Issues Packages Projects Releases Wiki Activity

feat: allow admin api key to bypass csrf validation (#29139)

Browse Source 
Signed-off-by: kenwoodjw <blackxin55+@gmail.com>
This commit is contained in:
kenwoodjw
2025-12-08 10:22:57 +08:00
committed by GitHub
parent 18d5d513b4
commit 88bfeee234
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
api/libs/token.py
View File

@@ -189,6 +189,11 @@ def build_force_logout_cookie_headers() -> list[str]:
def check_csrf_token(request: Request, user_id: str):
# some apis are sent by beacon, so we need to bypass csrf token check
# since these APIs are post, they are already protected by SameSite: Lax, so csrf is not required.
if dify_config.ADMIN_API_KEY_ENABLE:
auth_token = extract_access_token(request)
if auth_token and auth_token == dify_config.ADMIN_API_KEY:
return
def _unauthorized():
raise Unauthorized("CSRF token is missing or invalid.")