Textgen: Add permissions check for TabbyAPI keys

There's no formal permissions checking in ST's UI, so add a temporary
check in the server endpoint before requesting a download.

Signed-off-by: kingbri <bdashore3@proton.me>

public/scripts/textgen-models.js

@@ -526,7 +526,10 @@ async function downloadTabbyModel() {
             body: JSON.stringify(params),
         });
 
-        if (!response.ok) {
+        if (response.status === 403) {
+            toastr.error("The provided key has invalid permissions. Please use an admin key for downloading.");
+            return;
+        } else if (!response.ok) {
             throw new Error(response.statusText);
         }
 

src/endpoints/backends/text-completions.js

@@ -602,6 +602,23 @@ tabby.post('/download', jsonParser, async function (request, response) {
         }
 
         setAdditionalHeaders(request, args, baseUrl);
+
+        // Check key permissions
+        const permissionResponse = await fetch(`${baseUrl}/v1/auth/permission`, {
+            headers: args.headers
+        });
+
+        if (permissionResponse.ok) {
+            const permissionJson = await permissionResponse.json();
+
+            if (permissionJson['permission'] !== 'admin') {
+                return response.status(403).send({ error: true });
+            }
+        } else {
+            console.log('API Permission error:', permissionResponse.status, permissionResponse.statusText);
+            return response.status(permissionResponse.status).send({ error: true });
+        }
+
         const fetchResponse = await fetch(`${baseUrl}/v1/download`, args);
 
         if (!fetchResponse.ok) {