From 3e702c6265e4d572cf0afd789edfda8815ea5cb0 Mon Sep 17 00:00:00 2001 From: Paul Y Hui Date: Tue, 31 Mar 2026 15:25:00 +0800 Subject: [PATCH] fix: guard against missing/malformed Authorization header in apikey_required (#13860) ### What problem does this PR solve? Previously, `apikey_required` called `request.headers.get('Authorization').split()[1]` without checking for None or insufficient parts, causing an unhandled AttributeError or IndexError (500) instead of a proper 403 JSON response. This applies the same guarding pattern already used by `token_required` in the same file. ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue) - [x] Refactoring --- api/utils/api_utils.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/api/utils/api_utils.py b/api/utils/api_utils.py index 9cf5e5a3ff..bc3f09801b 100644 --- a/api/utils/api_utils.py +++ b/api/utils/api_utils.py @@ -252,7 +252,13 @@ def get_json_result(code: RetCode = RetCode.SUCCESS, message="success", data=Non def apikey_required(func): @wraps(func) async def decorated_function(*args, **kwargs): - token = request.headers.get("Authorization").split()[1] + authorization = request.headers.get("Authorization") + if not authorization: + return build_error_result(message="Authorization header is missing!", code=RetCode.FORBIDDEN) + parts = authorization.split() + if len(parts) < 2: + return build_error_result(message="Please check your authorization format.", code=RetCode.FORBIDDEN) + token = parts[1] objs = APIToken.query(token=token) if not objs: return build_error_result(message="API-KEY is invalid!", code=RetCode.FORBIDDEN)