security: reject requests without valid API key (401)

2026-05-19 19:15:13 +00:00
parent 5f05f46c7c
commit 5971ceee4e
1 changed files with 4 additions and 1 deletions
@@ -248,7 +248,10 @@ def chat():
    try:
        rd = request.get_json(force=True)
        ak = request.headers.get("Authorization","").replace("Bearer ","")
-        ki = API_KEYS.get(ak, {"tier":"starter","agent":"unknown"})
+        if not ak or ak not in API_KEYS:
            log.warning("AUTH_REJECTED: no/invalid API key from %s", request.remote_addr)
            return jsonify({"error": "Unauthorized — valid API key required"}), 401
        ki = API_KEYS[ak]
        tier, agent = ki["tier"], ki["agent"]
        # Allow agent to override queue timeout via header