opensource
/
dify
mirror of https://github.com/langgenius/dify.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat: allow admin api key to bypass csrf validation (#29139) 

Signed-off-by: kenwoodjw <blackxin55+@gmail.com>
This commit is contained in:
kenwoodjw 2025-12-08 10:22:57 +08:00 committed by GitHub
parent 18d5d513b4
commit 88bfeee234
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
api/libs/token.py
View File

@ -189,6 +189,11 @@ def build_force_logout_cookie_headers() -> list[str]:
def check_csrf_token(request: Request, user_id: str): def check_csrf_token(request: Request, user_id: str):
# some apis are sent by beacon, so we need to bypass csrf token check # some apis are sent by beacon, so we need to bypass csrf token check
# since these APIs are post, they are already protected by SameSite: Lax, so csrf is not required. # since these APIs are post, they are already protected by SameSite: Lax, so csrf is not required.
if dify_config.ADMIN_API_KEY_ENABLE:
auth_token = extract_access_token(request)
if auth_token and auth_token == dify_config.ADMIN_API_KEY:
return
def _unauthorized(): def _unauthorized():
raise Unauthorized("CSRF token is missing or invalid.") raise Unauthorized("CSRF token is missing or invalid.")