fix: per-user model list support with resolved headers#11849
Open
bensi94 wants to merge 3 commits intodanny-avila:mainfrom
Open
fix: per-user model list support with resolved headers#11849bensi94 wants to merge 3 commits intodanny-avila:mainfrom
bensi94 wants to merge 3 commits intodanny-avila:mainfrom
Conversation
… fetching
The models config was cached globally (MODELS_CONFIG key) which meant all
users saw the same model list regardless of their role or permissions.
This is incorrect when the upstream provider (e.g. LiteLLM) returns
different models per user based on JWT/OIDC tokens forwarded via custom
headers.
Changes:
- Remove MODELS_CONFIG cache from ModelController so models are fetched
fresh on each request, supporting per-user model lists
- Resolve custom headers through resolveHeaders() before merging into
the request options in fetchModels(), enabling template placeholders
like {{LIBRECHAT_OPENID_ID_TOKEN}} to be expanded per-user
- Merge resolved custom headers after default auth headers so config
headers (e.g. authorization) take precedence over the default Bearer
token
- Update tests to verify header resolution and override behavior
Contributor
|
Nice! Exactly what I need for claim-based access in my LiteLLM instance! 🎉 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When using an upstream model provider like LiteLLM with JWT/OIDC-based authentication, different users may have access to different models based on their role and permissions. The previous implementation cached the models config globally (
MODELS_CONFIGkey), causing all users to see the same model list regardless of their identity or authorization level.This PR fixes two issues:
Removes global model config caching in
ModelController.js— models are now fetched fresh on each request, ensuring per-user model lists are correctly returned. This applies to both master-key and user-token scenarios, but is especially important when tokens vary per user.Resolves custom headers through
resolveHeaders()infetchModels()— template placeholders like{{LIBRECHAT_OPENID_ID_TOKEN}}in config headers are now properly expanded per-user before the model fetch request. Custom headers are merged after default auth headers, so config-levelauthorizationheaders (e.g. forwarding an OIDC token) take precedence over the defaultBearer <apiKey>.Example config that now works correctly:
Change Type
Testing
models.spec.tsto verify:resolveHeaders()before being sentauthorizationheader overrides the default Bearer tokenModelController.jsno longer referencesCacheKeysorgetLogStoresTest Configuration:
headers.authorization: "Bearer {{LIBRECHAT_OPENID_ID_TOKEN}}"Checklist