Resolve conflict between token security and dashboard functionality

Add separate api_token_access_control_middleware that runs AFTER auth_middleware so request.state.is_global_token is already set when checking permissions. Final middleware execution order (FIRST to LAST on request): 1. ProxyHeadersMiddleware 2. SessionMiddleware 3. CORSMiddleware 4. tier_limit_middleware 5. api_token_access_control_middleware (NEW) - blocks global tokens from user endpoints 6. auth_middleware - sets is_global_token flag 7. dashboard_context_middleware - sets is_aisbf_cloud and welcome_shown ✅ Token security: Global tokens CANNOT access /api/u/* user endpoints ✅ Dashboard: Welcome modal and footer links work correctly ✅ Boot flow: Models load from providers.json on startup

Resolve conflict between token security and dashboard functionality
Add separate api_token_access_control_middleware that runs AFTER auth_middleware so request.state.is_global_token is already set when checking permissions. Final middleware execution order (FIRST to LAST on request): 1. ProxyHeadersMiddleware 2. SessionMiddleware 3. CORSMiddleware 4. tier_limit_middleware 5. api_token_access_control_middleware (NEW) - blocks global tokens from user endpoints 6. auth_middleware - sets is_global_token flag 7. dashboard_context_middleware - sets is_aisbf_cloud and welcome_shown ✅ Token security: Global tokens CANNOT access /api/u/* user endpoints ✅ Dashboard: Welcome modal and footer links work correctly ✅ Boot flow: Models load from providers.json on startup
d9965453 · Your Name · c8767df6 · d9965453
Commit d9965453 authored Apr 21, 2026 by Your Name
Hide whitespace changes
Inline Side-by-side

Showing with 38 additions and 0 deletions

main.py main.py +38 -0

No files found.
--- a/main.py
+++ b/main.py
@@ -1430,6 +1430,44 @@ async def auth_middleware(request: Request, call_next):
    return response
+# Global API Token Access Control Middleware
+@app.middleware("http")
+async def api_token_access_control_middleware(request: Request, call_next):
+    """Block global tokens from accessing user-specific endpoints"""
+    # Only apply to API and MCP endpoints
+    if (request.url.path.startswith("/api/u/") or 
+        request.url.path.startswith("/mcp/u/") or
+        request.url.path.startswith("/api/v1/u/") or
+        request.url.path.startswith("/mcp/v1/u/")):
+        is_global_token = getattr(request.state, 'is_global_token', False)
+        user_id = getattr(request.state, 'user_id', None)
+        if is_global_token:
+            return JSONResponse(
+                status_code=403,
+                content={"error": "Global tokens cannot access user-specific endpoints. Use the user's own API token."}
+            )
+        # Extract username from path and verify ownership
+        path_parts = request.url.path.split('/')
+        if len(path_parts) >= 4 and path_parts[2] == 'u':
+            target_username = path_parts[3]
+            db = DatabaseRegistry.get_config_database()
+            authenticated_user = db.get_user_by_id(user_id)
+            if not authenticated_user or authenticated_user['username'] != target_username:
+                return JSONResponse(
+                    status_code=403,
+                    content={"error": "You can only access your own user-specific endpoints."}
+                )
+    response = await call_next(request)
+    return response
 # Account Tier Limit Enforcement Middleware
 @app.middleware("http")
 async def tier_limit_middleware(request: Request, call_next):