security: reject requests without valid API key (401 instead of defaulting to starter)

2026-05-19 19:13:52 +00:00
parent 7a78c0f98d
commit 46dda918de
1 changed files with 4 additions and 1 deletions
@@ -248,7 +248,10 @@ def chat():
    try:
        rd = request.get_json(force=True)
        ak = request.headers.get("Authorization","").replace("Bearer ","")
-        ki = API_KEYS.get(ak, {"tier":"starter","agent":"unknown"})
+        if not ak or ak not in API_KEYS:
+            log.warning("AUTH_REJECTED: no/invalid API key from %s", request.remote_addr)
+            return jsonify({"error": "Unauthorized — valid API key required"}), 401
+        ki = API_KEYS[ak]
        tier, agent = ki["tier"], ki["agent"]
        
        # Allow agent to override queue timeout via header