feat: enforce api key authentication and update table header

- Added proper API key validation in router.py with 401 response when key is missing - Implemented CORS headers for authentication requests - Updated table header from "Until" to "Unload" in static/index.html - Improved security by preventing API key leakage in access logs
2026-02-01 10:05:46 +01:00 · 2026-02-01 10:05:46 +01:00 · bd0d210b2a
commit bd0d210b2a
parent b718d575b7
2 changed files with 13 additions and 7 deletions
--- a/router.py
+++ b/router.py
@ -250,13 +250,19 @@ async def enforce_router_api_key(request: Request, call_next):
    # Strip the api_key query param from scope so access logs do not leak it
    _strip_api_key_from_scope(request)
    if provided_key is None:
-        response = await call_next(request)
-        # Add CORS headers for API key authentication requests
+        # No key provided but authentication is required - return 401
+        headers = {}
        if "/api/" in path and path != "/api/usage-stream":
-            response.headers["Access-Control-Allow-Origin"] = "*"
-            response.headers["Access-Control-Allow-Headers"] = "Authorization, Content-Type"
-            response.headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, DELETE, OPTIONS"
-        return response
+            headers = {
+                "Access-Control-Allow-Origin": "*",
+                "Access-Control-Allow-Headers": "Authorization, Content-Type",
+                "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
+            }
+        return JSONResponse(
+            content={"detail": "Missing NOMYO Router API key"},
+            status_code=401,
+            headers=headers,
+        )

    if not secrets.compare_digest(str(provided_key), str(expected_key)):
        return JSONResponse(