Fix api key access (#13064)

Co-authored-by: openhands <openhands@all-hands.dev>
2026-03-22 13:47:19 +08:00 · 2026-02-26 13:22:23 +00:00
parent a92bfe6cc0
commit 409df1287d
11 changed files with 63 additions and 10 deletions
--- a/openhands/app_server/app_conversation/app_conversation_router.py
+++ b/openhands/app_server/app_conversation/app_conversation_router.py
@@ -18,6 +18,7 @@ from openhands.app_server.services.httpx_client_injector import (
 from openhands.app_server.services.injector import InjectorState
 from openhands.app_server.user.specifiy_user_context import USER_CONTEXT_ATTR
 from openhands.app_server.user.user_context import UserContext
+from openhands.server.dependencies import get_dependencies

 # Handle anext compatibility for Python < 3.10
 if sys.version_info >= (3, 10):
@@ -74,7 +75,11 @@ from openhands.app_server.utils.docker_utils import (
 from openhands.sdk.context.skills import KeywordTrigger, TaskTrigger
 from openhands.sdk.workspace.remote.async_remote_workspace import AsyncRemoteWorkspace

-router = APIRouter(prefix='/app-conversations', tags=['Conversations'])
+# We use the get_dependencies method here to signal to the OpenAPI docs that this endpoint
+# is protected. The actual protection is provided by SetAuthCookieMiddleware
+router = APIRouter(
+    prefix='/app-conversations', tags=['Conversations'], dependencies=get_dependencies()
+)
 logger = logging.getLogger(__name__)
 app_conversation_service_dependency = depends_app_conversation_service()
 app_conversation_start_task_service_dependency = (
--- a/openhands/app_server/event/event_router.py
+++ b/openhands/app_server/event/event_router.py
@@ -11,8 +11,15 @@ from openhands.app_server.config import depends_event_service
 from openhands.app_server.event.event_service import EventService
 from openhands.app_server.event_callback.event_callback_models import EventKind
 from openhands.sdk import Event
+from openhands.server.dependencies import get_dependencies

-router = APIRouter(prefix='/conversation/{conversation_id}/events', tags=['Events'])
+# We use the get_dependencies method here to signal to the OpenAPI docs that this endpoint
+# is protected. The actual protection is provided by SetAuthCookieMiddleware
+router = APIRouter(
+    prefix='/conversation/{conversation_id}/events',
+    tags=['Events'],
+    dependencies=get_dependencies(),
+)
 event_service_dependency = depends_event_service()


--- a/openhands/app_server/sandbox/sandbox_router.py
+++ b/openhands/app_server/sandbox/sandbox_router.py
@@ -10,8 +10,13 @@ from openhands.app_server.sandbox.sandbox_models import SandboxInfo, SandboxPage
 from openhands.app_server.sandbox.sandbox_service import (
    SandboxService,
 )
+from openhands.server.dependencies import get_dependencies

-router = APIRouter(prefix='/sandboxes', tags=['Sandbox'])
+# We use the get_dependencies method here to signal to the OpenAPI docs that this endpoint
+# is protected. The actual protection is provided by SetAuthCookieMiddleware
+router = APIRouter(
+    prefix='/sandboxes', tags=['Sandbox'], dependencies=get_dependencies()
+)
 sandbox_service_dependency = depends_sandbox_service()

 # Read methods
--- a/openhands/app_server/sandbox/sandbox_spec_router.py
+++ b/openhands/app_server/sandbox/sandbox_spec_router.py
@@ -12,8 +12,15 @@ from openhands.app_server.sandbox.sandbox_spec_models import (
 from openhands.app_server.sandbox.sandbox_spec_service import (
    SandboxSpecService,
 )
+from openhands.server.dependencies import get_dependencies

-router = APIRouter(prefix='/sandbox-specs', tags=['Sandbox'])
+# We use the get_dependencies method here to signal to the OpenAPI docs that this endpoint
+# is protected. The actual protection is provided by SetAuthCookieMiddleware
+# Sandboxes specs share a single immutable list for the server right now, but that is likely to
+# change in the future
+router = APIRouter(
+    prefix='/sandbox-specs', tags=['Sandbox'], dependencies=get_dependencies()
+)
 sandbox_spec_service_dependency = depends_sandbox_spec_service()


--- a/openhands/app_server/user/user_router.py
+++ b/openhands/app_server/user/user_router.py
@@ -5,8 +5,11 @@ from fastapi import APIRouter, HTTPException, status
 from openhands.app_server.config import depends_user_context
 from openhands.app_server.user.user_context import UserContext
 from openhands.app_server.user.user_models import UserInfo
+from openhands.server.dependencies import get_dependencies

-router = APIRouter(prefix='/users', tags=['User'])
+# We use the get_dependencies method here to signal to the OpenAPI docs that this endpoint
+# is protected. The actual protection is provided by SetAuthCookieMiddleware
+router = APIRouter(prefix='/users', tags=['User'], dependencies=get_dependencies())
 user_dependency = depends_user_context()

 # Read methods