server: Bypass API Key validation for WebUI static bundle assets (#21269)

* fix: Bypass API Key validation for static bundle assets

* refactor: All bypassed routes in `public_endpoints`

* test: Update static assets API Key test

diff --git a/tools/server/server-http.cpp b/tools/server/server-http.cpp
index f52240b106a3b827f435b1b10ef3652535fdc164..be2af26223da2e56ed68e0f2b39526943dacdcf9 100644 (file)
--- a/tools/server/server-http.cpp
+++ b/tools/server/server-http.cpp
@@ -143,7 +143,11 @@ bool server_http_context::init(const common_params & params) {
             "/v1/health",
             "/models",
             "/v1/models",
-            "/api/tags"
+            "/api/tags",
+            "/",
+            "/index.html",
+            "/bundle.js",
+            "/bundle.css",
         };
 
         // If API key is not set, skip validation
@@ -151,8 +155,8 @@ bool server_http_context::init(const common_params & params) {
             return true;
         }
 
-        // If path is public or is static file, skip validation
-        if (public_endpoints.find(req.path) != public_endpoints.end() || req.path == "/") {
+        // If path is public or static file, skip validation
+        if (public_endpoints.find(req.path) != public_endpoints.end()) {
             return true;
         }
 

diff --git a/tools/server/tests/unit/test_security.py b/tools/server/tests/unit/test_security.py
index 8c38b89d535e38b9d8a4e2ce26ba2bf248ce1aee..bb22095f125ca09027387911dbd0449fb30074bd 100644 (file)
--- a/tools/server/tests/unit/test_security.py
+++ b/tools/server/tests/unit/test_security.py
@@ -22,6 +22,15 @@ def test_access_public_endpoint(endpoint: str):
     assert "error" not in res.body
 
 
+def test_access_static_assets_without_api_key():
+    """Static web UI assets should not require API key authentication (issue #21229)"""
+    global server
+    server.start()
+    for path in ["/", "/bundle.js", "/bundle.css"]:
+        res = server.make_request("GET", path)
+        assert res.status_code == 200, f"Expected 200 for {path}, got {res.status_code}"
+
+
 @pytest.mark.parametrize("api_key", [None, "invalid-key"])
 def test_incorrect_api_key(api_key: str):
     global server