fix(api): validate api key prefix (#2195)

2026-06-04 12:56:02 +00:00 · 2026-05-16 11:33:20 +08:00
parent ec61459619
commit 484643c0ee
2 changed files with 43 additions and 0 deletions
--- a/src/langbot/pkg/api/http/service/apikey.py
+++ b/src/langbot/pkg/api/http/service/apikey.py
@@ -52,6 +52,9 @@ class ApiKeyService:

    async def verify_api_key(self, key: str) -> bool:
        """Verify if an API key is valid"""
+        if not isinstance(key, str) or not key.startswith('lbk_'):
+            return False
+
        result = await self.ap.persistence_mgr.execute_async(
            sqlalchemy.select(apikey.ApiKey).where(apikey.ApiKey.key == key)
        )