Textgen: Add permissions check for TabbyAPI keys

There's no formal permissions checking in ST's UI, so add a temporary check in the server endpoint before requesting a download. Signed-off-by: kingbri <bdashore3@proton.me>
2025-06-05 21:59:27 +02:00 · 2024-07-07 14:40:24 -04:00
parent 69077f6a6e
commit 0672c8422e
2 changed files with 21 additions and 1 deletions
--- a/public/scripts/textgen-models.js
+++ b/public/scripts/textgen-models.js
@@ -526,7 +526,10 @@ async function downloadTabbyModel() {
            body: JSON.stringify(params),
        });

-        if (!response.ok) {
+        if (response.status === 403) {
+            toastr.error("The provided key has invalid permissions. Please use an admin key for downloading.");
+            return;
+        } else if (!response.ok) {
            throw new Error(response.statusText);
        }

--- a/src/endpoints/backends/text-completions.js
+++ b/src/endpoints/backends/text-completions.js
@@ -602,6 +602,23 @@ tabby.post('/download', jsonParser, async function (request, response) {
        }

        setAdditionalHeaders(request, args, baseUrl);
+
+        // Check key permissions
+        const permissionResponse = await fetch(`${baseUrl}/v1/auth/permission`, {
+            headers: args.headers
+        });
+
+        if (permissionResponse.ok) {
+            const permissionJson = await permissionResponse.json();
+
+            if (permissionJson['permission'] !== 'admin') {
+                return response.status(403).send({ error: true });
+            }
+        } else {
+            console.log('API Permission error:', permissionResponse.status, permissionResponse.statusText);
+            return response.status(permissionResponse.status).send({ error: true });
+        }
+
        const fetchResponse = await fetch(`${baseUrl}/v1/download`, args);

        if (!fetchResponse.ok) {