[security] Remove API key regex patterns from client-side JS (#793) #836

Closed

sleepy wants to merge 0 commits from fix/client-side-api-key-regex-793 into main

pull from: fix/client-side-api-key-regex-793

merge into: sleepy:main

sleepy:main

sleepy:dev

sleepy:fix/effective-mode-undefined

sleepy:fix/async-generator-500

sleepy:refactor/split-small-routes-779

sleepy:refactor/split-session-routes-778

sleepy:refactor/split-llm-core-700

sleepy:refactor/split-chat-routes-724

sleepy:refactor/split-model-routes-701

sleepy:refactor/split-skills-routes-777

sleepy:refactor/split-document-routes-769

sleepy:refactor/split-ai-interaction-722

sleepy:refactor/split-cookbook-routes-775

sleepy:refactor/split-builtin-actions-723

sleepy:refactor/split-task-scheduler-774

sleepy:refactor/tool-execution-split-667

sleepy:fix/rag-health-coordinator-756

sleepy:fix/agent-core-missing-round-loop

sleepy:fix/rag-health-check-756

sleepy:fix/missing-readmes-782

sleepy:fix/search-files-split-772

sleepy:fix/dedup-search-impl-771

sleepy:fix/mcp-integrations-split-781

sleepy:fix/cookbook-helpers-split-785

sleepy:fix/search-cross-feature-776

sleepy:fix/graceful-llm-degradation-770

sleepy:fix/dedup-research-handler-773

sleepy:fix/cross-route-coupling-780

sleepy:fix/skills-typed-request-762

sleepy:fix/chat-stream-pydantic-731

sleepy:fix/chat-handler-imports-737

sleepy:fix/public-llm-exports-730

sleepy:fix/dedup-search-content-784

sleepy:fix/dedup-stream-parse-735

sleepy:fix/stream-error-boundary-734

sleepy:fix/typed-event-names-786

sleepy:fix/dedup-js-utilities-792

sleepy:fix/skills-index-lookup-761

sleepy:fix/xss-charname-innerhtml-788

sleepy:fix/coderunner-document-write-789

sleepy:fix/ai-interaction-thread-safety-729

sleepy:fix/dead-loadingtext-796

sleepy:fix/active-streams-eviction-736

sleepy:fix/builtin-actions-sqlite-orm-732

sleepy:fix/llm-core-thread-safety-709

sleepy:fix/singleton-thread-safety-768

sleepy:fix/video-upload-multimodal-826

sleepy:fix/mic-button-audio-825

sleepy:fix/multimodal-capabilities-827

sleepy:fix/dedup-system-msg-717

sleepy:fix/service-dead-calls-750

sleepy:fix/db-session-context-manager-757

sleepy:fix/dedup-llmconfig-710

sleepy:fix/keyword-lists-764-v2

sleepy:fix/keyword-lists-764

sleepy:fix/llm-cache-ttl-708

sleepy:fix/validate-config-711

sleepy:fix/totp-constant-time-689

sleepy:fix/admin-tools-constant-681

sleepy:fix/dedup-truncate-670

sleepy:fix/threadsafe-extractions-audit-754

sleepy:fix/dedup-json-io-767

sleepy:fix/695-deduplicate-admin-check

sleepy:fix/upload-auth-dedup-765

sleepy:fix/705-deduplicate-network-constants

sleepy:fix/deduplicate-chunking-749

sleepy:fix/760-deduplicate-embed

sleepy:fix/dedup-validation-759

sleepy:fix/748-deduplicate-tokenization

sleepy:fix/add-readmes-728-742-782

sleepy:fix/key-file-permissions-706

sleepy:fix/embedding-retry-766

sleepy:fix/deterministic-doc-ids-753

sleepy:fix/search-facade-783

sleepy:fix/remove-dead-memory-746

sleepy:fix/remove-rag-manager-747

sleepy:fix/dead-docstring-763

sleepy:refactor/split-tool-schemas-666

sleepy:refactor/split-agent-loop-664

sleepy:refactor/split-tool-implementations-665

sleepy:fix/mark-stopped-500-663

sleepy:fix/streamingtts-scope-662

sleepy:fix/code-block-tool-parsing-661

Conversation 0 Commits - Files changed -

sleepy commented 2026-06-03 20:20:00 +02:00

Owner

Copy link

Fixes #793. API key prefix regex patterns were exposed in client-side slashCommands.js. Moved PROVIDER_PATTERNS matching to server-side POST /api/detect-key-provider endpoint.

Fixes #793. API key prefix regex patterns were exposed in client-side slashCommands.js. Moved PROVIDER_PATTERNS matching to server-side POST /api/detect-key-provider endpoint.

sleepy added 1 commit 2026-06-03 20:20:01 +02:00

[security] Remove API key regex patterns from client-side JS (#793) ... 894f378b74

Move API key prefix matching (sk-ant-, sk-or-, sk-proj-, gsk_, AIza,
xai-) from client-side PROVIDER_PATTERNS in slashCommands.js to a new
server-side POST /api/detect-key-provider endpoint in model_routes.py.

Key prefix patterns exposed in client-side JS reveal the expected format
of API keys for each supported provider. This information could aid an
attacker in crafting or enumerating valid keys.

The detectProvider() function is now async and delegates non-URL inputs
to the server endpoint. URL detection remains client-side (not
sensitive). Both callers (handleSetupInput, handleSetupWizard) were
already async and now await the result.

The censor.js key patterns are intentionally left unchanged — they serve
a defensive purpose (blurring leaked keys in chat output) rather than
key validation.

Fixes #793.

sleepy referenced this pull request 2026-06-03 20:20:08 +02:00

[frontend/security] API key prefixes regex-matched in client-side slashCommands.js #793

sleepy closed this pull request 2026-06-04 11:42:17 +02:00

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

area:chat

  

area:core

  

area:llm

  

area:routes

  

area:tools

  

bug

Something isn't working

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

question

Further information is requested

  

refactor

  

wontfix

This will not be worked on

No labels

area:chat

area:core

area:llm

area:routes

area:tools

bug

documentation

duplicate

enhancement

good first issue

help wanted

invalid

question

refactor

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

sleepy/odysseus!836

No description provided.