[Bug]: v1/realtime endpoint not checking api key (Vulnerability)

[mirodrr2]

What happened?

With the v1/realtime endpoint, you are able to call it without a valid api key if OPENAI_API_KEY is defined in the Proxy. This is a security vulnerability if you are trying to run the proxy on a public endpoint

If you look at the v1/realtime endpoint, there's no dependency on user_api_key_auth like there is with all the other endpoints:

litellm/litellm/proxy/proxy_server.py

Line 4341 in 8fd3bf3

@app.websocket("/v1/realtime")

A version of user_api_key_auth will need to be made that supports websocket: WebSocket instead of request: Request

litellm/litellm/proxy/auth/user_api_key_auth.py

Line 198 in 8fd3bf3

async def user_api_key_auth( # noqa: PLR0915

You can easily reproduce this issue by taking the sample code from the LiteLLM documenation and putting in a bad api key. It will still connect: https://docs.litellm.ai/docs/realtime

Relevant log output

No response

Twitter / LinkedIn details

No response

[mirodrr2]

Looking through the code now, and it's not super straightforward to make an equivalent user_api_key_auth_for_websocket method. Here are the following differences:

1. The websocket request doesn't have a request body so the following checks in pre_db_read_auth_checks don't apply:

   • Checks if request size is under max_request_size_mb (if set)
   • Check if request body is safe (example user has not set api_base in request body)

2. Not sure if pass through endpoints make sense for websocket endpoints. Not aware of any alternative or open source providers of real time voice apis that exist yet.

3. A new version of common_checks will need to check the query parameters instead of the request body for the model

4. A new version of common_checks will probably need to check the headers for the user instead of the request body

5. A new version of common_checks will probably need to check the headers for the _enforced_params instead of the request body. Also not sure if _enforced_params should apply to the websocket api.

6. A new version of common_checks will probably need to check the headers for the metadata instead of the request body.

7. New version of organization_role_based_access_check will need to check the headers for the organization_id instead of the request body.

8. New version of service_account_checks will need to check the headers for _enforced_params instead of the request body

9. A lot of _is_allowed_route is probably unnecessary for websockets since it's doing a bunch of checks that only apply to http routes

10. Most of the methods in auth_utils.py accept request and will need to accept WebSocket to check the headers

[mirodrr2]

WIP branch: main...mirodrr2:litellm:check_api_key_on_v1_realtime

Not tested yet, and has a lot of duplicate code I'd like to avoid, but that's the general idea. Very new to this repo so would appreciate any guidance on this

I think closing this security vulnerability is high priority, as it makes the realtime voice api unusable for anyone who needs authentication

Will revisit next week after thanksgiving and try to get a decent quality PR in

[mirodrr2]

@krrishdholakia , I saw you added the initial support for the realtime voice api. Do you plan to add full user api key support to it?