Commit Graph
71 Commits
Author SHA1 Message Date
Alexsander HamirandGitHub 69bd4426e8 [Release Day] - Fixed CI/CD issues & changed processes (#19902) 2026-01-28 17:57:24 -08:00
boarder7395andGitHub 8e4f06583a Fix team cli auth flow (#19666)
* Cleanup code for user cli auth, and make sure not to prompt user for team multiple times while polling

* Adding tests

* Cleanup normalize teams some more
2026-01-28 08:52:52 -08:00
yuneng-jiangandGitHub 45954155d7 Merge pull request #19799 from BerriAI/litellm_sso_email_casing
[Fix] SSO Email Case Sensitivity
2026-01-27 09:52:03 -08:00
Sameer KankuteandGitHub 0214cb04cd Merge branch 'main' into litellm_oss_staging_01_26_2026 2026-01-27 17:00:58 +05:30
Sameer KankuteandGitHub adf6d7e1db Merge pull request #19692 from BerriAI/litellm_oss_staging_01_24_2026
Litellm oss staging 01 24 2026
2026-01-27 16:59:28 +05:30
Ishaan JaffandGitHub cec1a3c858 [Feat] CLI Auth - Add configurable CLI JWT expiration via environment variable (#19780)
* fix: add CLI_JWT_EXPIRATION_HOURS

* docs: CLI_JWT_EXPIRATION_HOURS

* fix: get_cli_jwt_auth_token

* test_get_cli_jwt_auth_token_custom_expiration
2026-01-26 14:56:17 -08:00
yuneng-jiang 4ee00cfda5 fix sso email case sensitivity 2026-01-26 10:33:57 -08:00
Jay PrajapatiandGitHub 582d324a76 fix(proxy): support slashes in google generateContent model names (#19737)
* fix(proxy): support slashes in google route params

* fix(proxy): extract google model ids with slashes

* test(proxy): cover google model ids with slashes
2026-01-25 22:59:50 -08:00
John GreekandGitHub 4c5351f43b [Fix] Password comparison with non-ASCII characters (#19559) (#19568) 2026-01-23 20:27:42 -08:00
yuneng-jiang 232ae52b94 attempt test_route_checks fix 2026-01-20 15:55:44 -08:00
Ishaan JaffandGitHub 117c7dd158 [Feat] Claude Code - Add End-user tracking with Claude Code (#19171)
* add claude code customer usage tracking

* fix get end user trackign claude code

* TestGetCustomerIdFromStandardHeaders
2026-01-15 17:57:10 -08:00
yuneng-jiangandGitHub 6a7edd8f2b Merge pull request #18785 from BerriAI/litellm_user_promethus_metrics
[Feature] User Metrics for Promethus
2026-01-15 15:51:02 -08:00
Ishaan JaffandGitHub 62187103b4 [Fix] Containers API - Container API routes return 401 for non-admin users - routes missing from openai_routes (#19115)
* test_containers_routes_are_llm_api_routes

* allow /containers/* API
2026-01-14 15:14:03 -08:00
yuneng-jiang 567f723214 Merge remote-tracking branch 'origin' into litellm_user_promethus_metrics 2026-01-12 15:59:16 -08:00
yuneng-jiang c29d042df4 Case insensitive email login 2026-01-09 12:51:00 -08:00
Harshit JainandGitHub 8a683d9a6a Add fix for bedrock_cache, metadata and max_model_budget (#18872) 2026-01-10 01:09:00 +05:30
yuneng-jiang 1e314ce203 Merge remote-tracking branch 'origin' into litellm_user_promethus_metrics 2026-01-09 09:33:16 -08:00
Harshit JainandGitHub 819468554f fix(security): prevent expired key plaintext leak in error response (#18860) 2026-01-09 22:27:39 +05:30
yuneng-jiang d01c48ec5e User metrics for promethus 2026-01-07 15:05:09 -08:00
Lukas de BoerandGitHub edc8413f1e Add Kubernetes ServiceAccount JWT authentication support (#18055)
* Allow get_nested_value dot notation to support escaping for Kubernetes JWT Support

* Add support for team and org alias fields, add docs, tests

* Fix lint issue with max statements in handle jwt logic
2026-01-02 14:02:31 +05:30
yuneng-jiang 269bc5b26b Expire Previous UI Session Tokens 2025-12-31 19:26:59 -08:00
Sameer Kankute 4c4c9cb353 Add generate content in llm route 2025-12-24 12:16:24 +05:30
Alexsander HamirandGitHub 30fa90f70d [Feat] Enable async_post_call_failure_hook to transform error responses (#18348) 2025-12-22 11:24:30 -08:00
Alexsander HamirandGitHub 2e7b554747 3[Fix] CI/CD - logging_testing (#18204)
* fix: enforce team member budget check in common_checks

- Add missing team member budget validation in common_checks() function
  - Checks team membership budget when team key is used
  - Raises BudgetExceededError when team member spend exceeds max_budget_in_team
  - Follows same pattern as other budget checks (team, user, end_user)
  - Uses cached get_team_membership() for performance

- Fix AttributeError in lowest_tpm_rpm.py
  - Add null check for model_info before accessing .get() method
  - Prevents 'NoneType' object has no attribute 'get' error

- Add unit tests for team member budget enforcement
  - Test budget exceeded scenario
  - Test within budget scenario
  - Test edge cases (no budget, no membership, personal keys)
  - Tests run without requiring proxy server

Fixes failing test: test_users_in_team_budget

* fix: mock get_async_httpx_client in test_langsmith_key_based_logging

- Mock get_async_httpx_client to return a mock AsyncHTTPHandler instance
- Fixes test failure where mock_post was never called
- LangsmithLogger creates its own httpx client instance via get_async_httpx_client,
  so we need to mock the factory function rather than the class method
- Use MagicMock for response.raise_for_status (sync method) instead of AsyncMock

* fix: resolve linting errors (PLR0915, F401)

- Remove unused imports (datetime, ServiceLoggerPayload) from arize_phoenix.py
- Extract health ping setup logic from RedisCache.__init__ to reduce statement count
- Extract team member budget check from common_checks to reduce statement count

* fix: resolve type errors in ChatCompletionToolCallChunk construction

- Cast type field to Literal['function'] to satisfy TypedDict requirements
- Ensure arguments field is explicitly str type to match TypedDict signature
- Fixes pyright errors for incompatible types in transformation.py
2025-12-18 10:52:24 -08:00
yuneng-jiang f4017a1986 Tests 2025-12-17 16:07:01 -08:00
yuneng-jiang 9907a0d93c Tests 2025-12-15 18:04:27 -08:00
Ishaan JaffandGitHub d38f241032 [Feat] JWT Auth - auth allow selecting team_id from request header (#17884)
* feat: add get_team_id_from_header for JWT Auth

* fix Auth builder JWT Auth

* test_get_team_id_from_header

* test_auth_builder_uses_team_from_header_e2e

* Select Team via Request Header
2025-12-12 10:18:20 -08:00
ephrimstanleyandGitHub a91dda1194 Return 403 instead of 503 for unauthorized routes (#17723) 2025-12-09 15:16:11 -08:00
Ishaan JaffandGitHub 074445edb1 [Fix] AI Gateway Auth - allow using wildcard patterns for public routes (#17686)
* edit auth utils to allow wildcard patterns

* docs fix private / public routes

* test_route_in_additional_public_routes_wildcard_match
2025-12-08 17:39:53 -08:00
e3116da653 feat: Add /global/spend/tags to admin viewer routes (#17501)
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: ishaan <ishaan@berri.ai>
2025-12-04 14:43:33 -08:00
yuneng-jiang e6620fcdad Ruff checks 2025-12-03 11:01:10 -08:00
yuneng-jiang b3c0ea5414 Merge remote-tracking branch 'origin' into litellm_login_route_refactor 2025-12-03 10:40:11 -08:00
1ac2655b17 Fix/organization max budget not enforced (#17334)
* test: add failing tests for organization budget enforcement bug

Add comprehensive tests exposing that organization-level budgets are
retrieved but never enforced during request authentication. Tests verify:

1. Basic org budget exceeded scenario (team under budget, org over)
2. Multiple teams collectively exceeding org budget
3. Organization budget fields exist but are never checked
4. Inconsistency between team budget enforcement (works) and org (doesn't)

Tests intentionally fail to document the bug. Will be fixed in next commit.

Related to organization_max_budget not being enforced in auth_checks.py

* fix: enforce organization budget in auth checks

Add organization budget enforcement to common_checks() in auth_checks.py.
Previously, organization_max_budget was retrieved from DB but never checked,
allowing teams to collectively exceed their organization's budget limit.

Changes:
- Add _organization_max_budget_check() function following team budget pattern
- Call org budget check after team budget check in common_checks()
- Add "organization_budget" to budget_alerts type literals
- Update tests to verify org budget is enforced

Budget hierarchy is now properly enforced:
  Organization Budget (hard ceiling)
    └─ Team Budget (sub-allocation)
        └─ Team Member Budget (per-user within team)
            └─ Key Budget (per-key)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: add organization_id to budget alerts, fix enum comparison and linting of newly added code

- Add organization_id field to CallInfo class for better alert context
- Include organization_id in budget alerts (token, soft, team, org)
- Fix event_group enum comparison (was comparing enum to string)
- Add OrganizationBudgetAlert class for organization budget alerting
- Add organization_budget to test parameterizations
- Apply Black formatting to slack_alerting.py

---------

Co-authored-by: Claude <noreply@anthropic.com>
2025-12-02 22:46:03 -08:00
yuneng-jiang 6ee9d9c344 /login route refactor 2025-12-02 11:19:27 -08:00
Ishaan JaffandGitHub 24f847b84c [Feat] JWT Auth - AI Gateway, allow using regular OIDC flow with user info endpoints (#17324)
* feat: allow fetching OIDC user info

* test: use test_auth_builder_with_oidc_userinfo_enabled gets user info when enabled

* fix tool permission doc

* docs fix diagram
2025-12-01 13:59:00 -08:00
v0rtex20kandGitHub 205a563b65 Allow wildcard routes for nonproxy admin (SCIM) (#17178)
* checked for wildcards in nonproxy

* ready
2025-11-27 22:10:19 -08:00
Sameer KankuteandGitHub b97ea585b2 Add method for extracting vector store ids from path params (#16566)
* Add method for extracting vector store ids from path params

* Add vector id handling from path

* Move method to utils
2025-11-26 14:19:30 -08:00
Ishaan Jaffer 983ada20c3 mock test fixes 2025-11-26 12:02:35 -08:00
00e17c81a1 Add enforce user param functionality (#17088)
* feat: Add reject_metadata_tags to proxy config

Co-authored-by: krrishdholakia <krrishdholakia@gmail.com>

* Refactor: Rename reject_metadata_tags to reject_clientside_metadata_tags

Co-authored-by: krrishdholakia <krrishdholakia@gmail.com>

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
2025-11-25 09:36:24 -08:00
yuneng-jiangandGitHub 825f61b452 Remove expired proxy admin keys from cache (#16894) 2025-11-22 14:23:28 -08:00
yuneng-jiangandGitHub 22fd323d6b Calling team/permissions_list and team/permissions_update now returns 404 with non-existent team (#16835) 2025-11-22 14:21:58 -08:00
Ishaan JaffandGitHub 2880cb45a2 [Fix] AI Gateway Auth - Ensure Team Tags works when using JWT Auth (#16797)
* fix setting team_metadata

* test_team_metadata_with_tags_flows_through_jwt_auth
2025-11-18 17:36:38 -08:00
912be308b2 fix: allow internal users to access video generation routes (#16472)
Fixes #16470

Video generation endpoints (/v1/videos, /videos/{video_id}, etc.) were
incorrectly restricted to proxy_admin role only. These routes are now
added to openai_routes list, making them accessible to internal_user
role as they should be - video generation is a legitimate user feature,
not a management/admin operation.

Changes:
- Added 8 video route patterns to LiteLLMRoutes.openai_routes in _types.py
- Added comprehensive tests verifying internal_user and virtual key access
- All existing route permission tests continue to pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude <noreply@anthropic.com>
2025-11-10 17:44:16 -08:00
Sameer KankuteandGitHub 2ab2d15efc Fix Token Spend is under budget for passthrough (#15805) 2025-10-22 10:55:22 -07:00
Ishaan JaffandGitHub f13eb283e1 [Fix] GEMINI - CLI - add google_routes to llm_api_routes (#15500)
* fix: add google_routes to llm_api_routes

* test: test_virtual_key_llm_api_routes_allows_google_routes
2025-10-13 10:58:47 -07:00
Krish DholakiaandGitHub 5507d50acf Merge branch 'main' into litellm_dev_10_09_2025_p1 2025-10-11 13:06:34 -07:00
Ishaan JaffandGitHub 527c8f59fa [Feat] Tag Management - Add support for setting tag based budgets (#15433)
* feat: add LiteLLM_TagTable

* fix: use new table for tag management

* fix - allow setting budgets for tags

* working tag creation

* fix schema.prisma

* add tag info

* ui fixes

* ui fix tag info

* TAG_CACHE_IN_MEMORY_TTL_SECONDS

* add Litellm_EntityType

* fix get_aggregated_db_spend_update_transactions

* fix: _update_entity_spend_in_db

* fix _tag_max_budget_check

* add tag budget check

* add tag_list_transactions

* test_get_tag_objects_batch

* test_update_tag_db_without_prisma_client

* fix get_tags_from_request_body

* get_tags_from_request_body

* fix get_tags_from_request_body

* fix spend tracking utils

* get_tags_from_request_body

* test_get_tags_from_request_body_with_metadata_tags

* feat: add _update_tag_cache spend tracking

* fix _PROXY_track_cost_callback

* test_tag_cache_update_multiple_tags

* fix tag info

* docs fix

* docs tag budgets

* doc fix

* docs fix

* fix tag budget

* docs tag budgets

* docs fix

* ruff fix
2025-10-10 19:24:50 -07:00
Krrish Dholakia 5aa5a3b425 fix(route_checks.py): support team metadata 2025-10-09 17:18:38 -07:00
Ishaan JaffandGitHub e73d053de3 [Fix] Proxy Auth - Ensure LLM_API_KEYs can access pass through routes (#15115)
* test_virtual_key_llm_api_routes_allows_registered_pass_through_endpoints

* fix: is_registered_pass_through_route

* docs fix
2025-10-01 14:09:01 -07:00
CopilotGitHubcopilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>ishaan-jaff
f22fd4cddd Fix: Add /v1/messages/count_tokens to Anthropic routes for non-admin user access (#15034)
* Initial plan

* Fix: Add /v1/messages/count_tokens to Anthropic routes for user access

Co-authored-by: ishaan-jaff <29436595+ishaan-jaff@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: ishaan-jaff <29436595+ishaan-jaff@users.noreply.github.com>
2025-09-29 18:16:52 -07:00