Salastil/odysseus
1
0
Fork 0
mirror of https://github.com/pewdiepie-archdaemon/odysseus.git synced 2026-06-17 10:15:27 -04:00
Code Issues Packages Projects Releases Wiki Activity

Restrict provider discovery to admins

Browse Source 
Require admin access before serving provider discovery data from
GET /api/providers. This prevents normal authenticated users from
triggering provider discovery or receiving cached provider host data.

Keep GET /api/models available to normal users and leave the existing
admin-only GET /api/discover behavior unchanged.

Add a focused regression test to ensure unauthorized callers cannot
trigger discovery and cannot receive cached provider data.
This commit is contained in:
Alexandre Teixeira
2026-06-01 21:54:40 +01:00
committed by GitHub
parent 7268c49992
commit 26483661da
2 changed files with 38 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
routes/model_routes.py
+2 -1
View File
@@ -890,8 +890,9 @@ def setup_model_routes(model_discovery):
_PROVIDERS_CACHE_TTL = 30 # seconds
@router.get("/providers")
def providers(refresh: bool = False):
def providers(request: Request, refresh: bool = False):
"""Get all available providers (cached for 30s)."""
require_admin(request)
now = _time.time()
if not refresh and _providers_cache["data"] is not None and (now - _providers_cache["time"]) < _PROVIDERS_CACHE_TTL:
return _providers_cache["data"]