[I] LiteLLM proxy endpoints accept anonymous requests when Copilot is enabled [texera]

Sat, 06 Jun 2026 16:53:04 -0700 


Yicong-Huang opened a new issue, #5420:
URL: https://github.com/apache/texera/issues/5420

   ### What happened?
   
   
`access-control-service/src/main/scala/org/apache/texera/service/resource/AccessControlResource.scala`
 defines two JAX-RS proxies that forward to the deployment's LiteLLM instance:
   
   - `LiteLLMProxyResource` at `/chat/*` (chat completions)
   - `LiteLLMModelsResource` at `/models` (model listing)
   
   Both classes are annotated `@PermitAll` and contain no internal 
authentication / authorization beyond a 
`GuiConfig.guiWorkflowWorkspaceCopilotEnabled` feature-flag check. With the 
eager `JwtAuthFilter` from PR #5404 enabled and Copilot turned on at deploy 
time, any unauthenticated caller can reach `/api/chat/...` or `/api/models` and 
spend the deployment's LLM credits / quota.
   
   PR #5404 left the `@PermitAll` in place to preserve pre-eager-filter 
behavior — its description explicitly defers this hardening: *"Whether 
`/chat/*` should require an authenticated user is a separate hardening 
decision."*
   
   ### How to reproduce?
   
   1. Bring up `access-control-service` (port 8081) on a build that has 
`guiWorkflowWorkspaceCopilotEnabled = true` and a live LiteLLM endpoint.
   2. With no `Authorization` header:
      - `curl -X POST http://localhost:8081/api/chat/completions -H 
"Content-Type: application/json" -d 
'{"model":"gpt-4o-mini","messages":[{"role":"user","content":"hi"}]}'`
      - `curl http://localhost:8081/api/models`
   3. Observe: both requests proxy to LiteLLM with the deployment's 
`LLM_API_KEY` and return the response. The caller is fully anonymous.
   
   ### Branch
   
   main
   
   ### Commit Hash (Optional)
   
   (after #5404 lands)
   
   ### What browsers are you seeing the problem on?
   
   - n/a (server-side)
   
   ### Relevant log output
   
   ```shell
   INFO  org.eclipse.jetty.server.RequestLog: [...] - "POST 
/api/chat/completions HTTP/1.1" 200
   INFO  org.apache.texera.service.resource.LiteLLMProxyResource: Proxying POST 
request to LiteLLM: http://localhost:9096/chat/completions
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to