server: Bypass API Key validation for WebUI static bundle assets (#21269)

* fix: Bypass API Key validation for static bundle assets * refactor: All bypassed routes in `public_endpoints` * test: Update static assets API Key test
2026-04-01 21:32:15 +02:00 · 2026-04-01 21:32:15 +02:00 · 12dbf1da95
parent 86221cf6da
commit 12dbf1da95
2 changed files with 16 additions and 3 deletions
--- a/tools/server/server-http.cpp
+++ b/tools/server/server-http.cpp
@ -143,7 +143,11 @@ bool server_http_context::init(const common_params & params) {
            "/v1/health",
            "/models",
            "/v1/models",
-            "/api/tags"
+            "/api/tags",
+            "/",
+            "/index.html",
+            "/bundle.js",
+            "/bundle.css",
        };

        // If API key is not set, skip validation
@ -151,8 +155,8 @@ bool server_http_context::init(const common_params & params) {
            return true;
        }

-        // If path is public or is static file, skip validation
-        if (public_endpoints.find(req.path) != public_endpoints.end() || req.path == "/") {
+        // If path is public or static file, skip validation
+        if (public_endpoints.find(req.path) != public_endpoints.end()) {
            return true;
        }

--- a/tools/server/tests/unit/test_security.py
+++ b/tools/server/tests/unit/test_security.py
@ -22,6 +22,15 @@ def test_access_public_endpoint(endpoint: str):
    assert "error" not in res.body


+def test_access_static_assets_without_api_key():
+    """Static web UI assets should not require API key authentication (issue #21229)"""
+    global server
+    server.start()
+    for path in ["/", "/bundle.js", "/bundle.css"]:
+        res = server.make_request("GET", path)
+        assert res.status_code == 200, f"Expected 200 for {path}, got {res.status_code}"
+
+
@pytest.mark.parametrize("api_key", [None, "invalid-key"])
 def test_incorrect_api_key(api_key: str):
    global server