LocalAI icon indicating copy to clipboard operation
LocalAI copied to clipboard

Published 20 hours ago verified publisher icon mudler

WebUI: 'Authorization header missing'

Open AlexM4H opened this issue 9 months ago • 9 comments

The WebUI is making great progress. Many thanks for that.

I tried to test the chat today. Without using an API-KEY in my settings it works fine.

But how can I enter the API-KEY from my settings into the WebUI? The input option is only displayed if I have not set such a KEY.

If a API-KEY is set in my environment settings, I get the error message

{"message": "Authorization header missing"}

EDIT:

curl -X GET "https://localai/v1/models" -H "Authorization: Bearer sk-my-api-key"|jq

works with the correct key, otherwise "Invalid API key"

AlexM4H avatar May 03 '24 15:05 AlexM4H

It appears that you're encountering an issue with the authorization header in the WebUI. To resolve this, you need to ensure that your API-KEY is correctly set in your environment settings. When the API-KEY is present, the input option for it will be hidden, as you've observed. Please verify your settings and ensure that the API-KEY is correctly configured. If you continue to experience issues, feel free to reach out for further assistance. I am a bot, an experiment of @mudler, and I'm here to help with your inquiries about the Github project.

localai-bot avatar May 03 '24 15:05 localai-bot

Hi, if you mean how you can access the Web-UI with the browser I solved with Requestly browser extension.

Following a config example Screenshot 2024-05-03 at 18-21-26 Requestly - Lightweight Proxy to Intercept Modify HTTP(s) requests

fakezeta avatar May 03 '24 16:05 fakezeta

Thanks for your workaround. I use ModHeader instead. It works well. But it's a bug, right?

AlexM4H avatar May 03 '24 17:05 AlexM4H

I have this issue as well. Using the latest Docker image (v2.15.0-cublas-cuda12-ffmpeg), if $LOCALAI_API_KEY is set I only get "Authorization header missing" when I try to access the webui. Works perfectly if not set.

Jordanb716 avatar May 12 '24 21:05 Jordanb716

I also think it is a bug. Can a maintainer confirm this? Thanks!

pmarini-nc avatar May 13 '24 14:05 pmarini-nc

Any updates? We have a workaround for this error, but no fix yet.

AlexM4H avatar Jun 14 '24 08:06 AlexM4H

That's not a bug - the WebUI is served by the API and, does not support specifying an API KEY on the first place for all the calls. As it exposes outside confidential informations, it is gated for security purposes by the API_KEY entirely. As @fakezeta mentioned there are browser plugins to prefix calls with a bearer token that can be used to access the webui.

As there is no user authentication, nor the WebUI supports settings API Keys across all the application, the safest route is to put the whole UI behind an API KEY as it could leak sensitive informations.

If you think there is room for improvement, please create a ticket suggesting a solution - but I'm not really into plugging a user/auth system to LocalAI. We can think to have the WebUI to setup the token when accessed at first, but that's an enhancement, not a bug. Referencing #2156 for better visibility.

mudler avatar Jun 25 '24 17:06 mudler

@mudler do you aware that p2p diagnostics functionality is suppressed when api keys is used?

mintyleaf avatar Aug 22 '24 01:08 mintyleaf