Commit Graph

62 Commits

Author SHA1 Message Date
yuneng-jiang 232ae52b94 attempt test_route_checks fix 2026-01-20 15:55:44 -08:00
Ishaan Jaff 117c7dd158 [Feat] Claude Code - Add End-user tracking with Claude Code (#19171)
* add claude code customer usage tracking

* fix get end user trackign claude code

* TestGetCustomerIdFromStandardHeaders
2026-01-15 17:57:10 -08:00
yuneng-jiang 6a7edd8f2b Merge pull request #18785 from BerriAI/litellm_user_promethus_metrics
[Feature] User Metrics for Promethus
2026-01-15 15:51:02 -08:00
Ishaan Jaff 62187103b4 [Fix] Containers API - Container API routes return 401 for non-admin users - routes missing from openai_routes (#19115)
* test_containers_routes_are_llm_api_routes

* allow /containers/* API
2026-01-14 15:14:03 -08:00
yuneng-jiang 567f723214 Merge remote-tracking branch 'origin' into litellm_user_promethus_metrics 2026-01-12 15:59:16 -08:00
yuneng-jiang c29d042df4 Case insensitive email login 2026-01-09 12:51:00 -08:00
Harshit Jain 8a683d9a6a Add fix for bedrock_cache, metadata and max_model_budget (#18872) 2026-01-10 01:09:00 +05:30
yuneng-jiang 1e314ce203 Merge remote-tracking branch 'origin' into litellm_user_promethus_metrics 2026-01-09 09:33:16 -08:00
Harshit Jain 819468554f fix(security): prevent expired key plaintext leak in error response (#18860) 2026-01-09 22:27:39 +05:30
yuneng-jiang d01c48ec5e User metrics for promethus 2026-01-07 15:05:09 -08:00
Lukas de Boer edc8413f1e Add Kubernetes ServiceAccount JWT authentication support (#18055)
* Allow get_nested_value dot notation to support escaping for Kubernetes JWT Support

* Add support for team and org alias fields, add docs, tests

* Fix lint issue with max statements in handle jwt logic
2026-01-02 14:02:31 +05:30
yuneng-jiang 269bc5b26b Expire Previous UI Session Tokens 2025-12-31 19:26:59 -08:00
Sameer Kankute 4c4c9cb353 Add generate content in llm route 2025-12-24 12:16:24 +05:30
Alexsander Hamir 30fa90f70d [Feat] Enable async_post_call_failure_hook to transform error responses (#18348) 2025-12-22 11:24:30 -08:00
Alexsander Hamir 2e7b554747 3[Fix] CI/CD - logging_testing (#18204)
* fix: enforce team member budget check in common_checks

- Add missing team member budget validation in common_checks() function
  - Checks team membership budget when team key is used
  - Raises BudgetExceededError when team member spend exceeds max_budget_in_team
  - Follows same pattern as other budget checks (team, user, end_user)
  - Uses cached get_team_membership() for performance

- Fix AttributeError in lowest_tpm_rpm.py
  - Add null check for model_info before accessing .get() method
  - Prevents 'NoneType' object has no attribute 'get' error

- Add unit tests for team member budget enforcement
  - Test budget exceeded scenario
  - Test within budget scenario
  - Test edge cases (no budget, no membership, personal keys)
  - Tests run without requiring proxy server

Fixes failing test: test_users_in_team_budget

* fix: mock get_async_httpx_client in test_langsmith_key_based_logging

- Mock get_async_httpx_client to return a mock AsyncHTTPHandler instance
- Fixes test failure where mock_post was never called
- LangsmithLogger creates its own httpx client instance via get_async_httpx_client,
  so we need to mock the factory function rather than the class method
- Use MagicMock for response.raise_for_status (sync method) instead of AsyncMock

* fix: resolve linting errors (PLR0915, F401)

- Remove unused imports (datetime, ServiceLoggerPayload) from arize_phoenix.py
- Extract health ping setup logic from RedisCache.__init__ to reduce statement count
- Extract team member budget check from common_checks to reduce statement count

* fix: resolve type errors in ChatCompletionToolCallChunk construction

- Cast type field to Literal['function'] to satisfy TypedDict requirements
- Ensure arguments field is explicitly str type to match TypedDict signature
- Fixes pyright errors for incompatible types in transformation.py
2025-12-18 10:52:24 -08:00
yuneng-jiang f4017a1986 Tests 2025-12-17 16:07:01 -08:00
yuneng-jiang 9907a0d93c Tests 2025-12-15 18:04:27 -08:00
Ishaan Jaff d38f241032 [Feat] JWT Auth - auth allow selecting team_id from request header (#17884)
* feat: add get_team_id_from_header for JWT Auth

* fix Auth builder JWT Auth

* test_get_team_id_from_header

* test_auth_builder_uses_team_from_header_e2e

* Select Team via Request Header
2025-12-12 10:18:20 -08:00
ephrimstanley a91dda1194 Return 403 instead of 503 for unauthorized routes (#17723) 2025-12-09 15:16:11 -08:00
Ishaan Jaff 074445edb1 [Fix] AI Gateway Auth - allow using wildcard patterns for public routes (#17686)
* edit auth utils to allow wildcard patterns

* docs fix private / public routes

* test_route_in_additional_public_routes_wildcard_match
2025-12-08 17:39:53 -08:00
Ishaan Jaff e3116da653 feat: Add /global/spend/tags to admin viewer routes (#17501)
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: ishaan <ishaan@berri.ai>
2025-12-04 14:43:33 -08:00
yuneng-jiang e6620fcdad Ruff checks 2025-12-03 11:01:10 -08:00
yuneng-jiang b3c0ea5414 Merge remote-tracking branch 'origin' into litellm_login_route_refactor 2025-12-03 10:40:11 -08:00
rioiart 1ac2655b17 Fix/organization max budget not enforced (#17334)
* test: add failing tests for organization budget enforcement bug

Add comprehensive tests exposing that organization-level budgets are
retrieved but never enforced during request authentication. Tests verify:

1. Basic org budget exceeded scenario (team under budget, org over)
2. Multiple teams collectively exceeding org budget
3. Organization budget fields exist but are never checked
4. Inconsistency between team budget enforcement (works) and org (doesn't)

Tests intentionally fail to document the bug. Will be fixed in next commit.

Related to organization_max_budget not being enforced in auth_checks.py

* fix: enforce organization budget in auth checks

Add organization budget enforcement to common_checks() in auth_checks.py.
Previously, organization_max_budget was retrieved from DB but never checked,
allowing teams to collectively exceed their organization's budget limit.

Changes:
- Add _organization_max_budget_check() function following team budget pattern
- Call org budget check after team budget check in common_checks()
- Add "organization_budget" to budget_alerts type literals
- Update tests to verify org budget is enforced

Budget hierarchy is now properly enforced:
  Organization Budget (hard ceiling)
    └─ Team Budget (sub-allocation)
        └─ Team Member Budget (per-user within team)
            └─ Key Budget (per-key)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: add organization_id to budget alerts, fix enum comparison and linting of newly added code

- Add organization_id field to CallInfo class for better alert context
- Include organization_id in budget alerts (token, soft, team, org)
- Fix event_group enum comparison (was comparing enum to string)
- Add OrganizationBudgetAlert class for organization budget alerting
- Add organization_budget to test parameterizations
- Apply Black formatting to slack_alerting.py

---------

Co-authored-by: Claude <noreply@anthropic.com>
2025-12-02 22:46:03 -08:00
yuneng-jiang 6ee9d9c344 /login route refactor 2025-12-02 11:19:27 -08:00
Ishaan Jaff 24f847b84c [Feat] JWT Auth - AI Gateway, allow using regular OIDC flow with user info endpoints (#17324)
* feat: allow fetching OIDC user info

* test: use test_auth_builder_with_oidc_userinfo_enabled gets user info when enabled

* fix tool permission doc

* docs fix diagram
2025-12-01 13:59:00 -08:00
v0rtex20k 205a563b65 Allow wildcard routes for nonproxy admin (SCIM) (#17178)
* checked for wildcards in nonproxy

* ready
2025-11-27 22:10:19 -08:00
Sameer Kankute b97ea585b2 Add method for extracting vector store ids from path params (#16566)
* Add method for extracting vector store ids from path params

* Add vector id handling from path

* Move method to utils
2025-11-26 14:19:30 -08:00
Ishaan Jaffer 983ada20c3 mock test fixes 2025-11-26 12:02:35 -08:00
Krish Dholakia 00e17c81a1 Add enforce user param functionality (#17088)
* feat: Add reject_metadata_tags to proxy config

Co-authored-by: krrishdholakia <krrishdholakia@gmail.com>

* Refactor: Rename reject_metadata_tags to reject_clientside_metadata_tags

Co-authored-by: krrishdholakia <krrishdholakia@gmail.com>

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
2025-11-25 09:36:24 -08:00
yuneng-jiang 825f61b452 Remove expired proxy admin keys from cache (#16894) 2025-11-22 14:23:28 -08:00
yuneng-jiang 22fd323d6b Calling team/permissions_list and team/permissions_update now returns 404 with non-existent team (#16835) 2025-11-22 14:21:58 -08:00
Ishaan Jaff 2880cb45a2 [Fix] AI Gateway Auth - Ensure Team Tags works when using JWT Auth (#16797)
* fix setting team_metadata

* test_team_metadata_with_tags_flows_through_jwt_auth
2025-11-18 17:36:38 -08:00
Jehandad Kamal 912be308b2 fix: allow internal users to access video generation routes (#16472)
Fixes #16470

Video generation endpoints (/v1/videos, /videos/{video_id}, etc.) were
incorrectly restricted to proxy_admin role only. These routes are now
added to openai_routes list, making them accessible to internal_user
role as they should be - video generation is a legitimate user feature,
not a management/admin operation.

Changes:
- Added 8 video route patterns to LiteLLMRoutes.openai_routes in _types.py
- Added comprehensive tests verifying internal_user and virtual key access
- All existing route permission tests continue to pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude <noreply@anthropic.com>
2025-11-10 17:44:16 -08:00
Sameer Kankute 2ab2d15efc Fix Token Spend is under budget for passthrough (#15805) 2025-10-22 10:55:22 -07:00
Ishaan Jaff f13eb283e1 [Fix] GEMINI - CLI - add google_routes to llm_api_routes (#15500)
* fix: add google_routes to llm_api_routes

* test: test_virtual_key_llm_api_routes_allows_google_routes
2025-10-13 10:58:47 -07:00
Krish Dholakia 5507d50acf Merge branch 'main' into litellm_dev_10_09_2025_p1 2025-10-11 13:06:34 -07:00
Ishaan Jaff 527c8f59fa [Feat] Tag Management - Add support for setting tag based budgets (#15433)
* feat: add LiteLLM_TagTable

* fix: use new table for tag management

* fix - allow setting budgets for tags

* working tag creation

* fix schema.prisma

* add tag info

* ui fixes

* ui fix tag info

* TAG_CACHE_IN_MEMORY_TTL_SECONDS

* add Litellm_EntityType

* fix get_aggregated_db_spend_update_transactions

* fix: _update_entity_spend_in_db

* fix _tag_max_budget_check

* add tag budget check

* add tag_list_transactions

* test_get_tag_objects_batch

* test_update_tag_db_without_prisma_client

* fix get_tags_from_request_body

* get_tags_from_request_body

* fix get_tags_from_request_body

* fix spend tracking utils

* get_tags_from_request_body

* test_get_tags_from_request_body_with_metadata_tags

* feat: add _update_tag_cache spend tracking

* fix _PROXY_track_cost_callback

* test_tag_cache_update_multiple_tags

* fix tag info

* docs fix

* docs tag budgets

* doc fix

* docs fix

* fix tag budget

* docs tag budgets

* docs fix

* ruff fix
2025-10-10 19:24:50 -07:00
Krrish Dholakia 5aa5a3b425 fix(route_checks.py): support team metadata 2025-10-09 17:18:38 -07:00
Ishaan Jaff e73d053de3 [Fix] Proxy Auth - Ensure LLM_API_KEYs can access pass through routes (#15115)
* test_virtual_key_llm_api_routes_allows_registered_pass_through_endpoints

* fix: is_registered_pass_through_route

* docs fix
2025-10-01 14:09:01 -07:00
Copilot f22fd4cddd Fix: Add /v1/messages/count_tokens to Anthropic routes for non-admin user access (#15034)
* Initial plan

* Fix: Add /v1/messages/count_tokens to Anthropic routes for user access

Co-authored-by: ishaan-jaff <29436595+ishaan-jaff@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: ishaan-jaff <29436595+ishaan-jaff@users.noreply.github.com>
2025-09-29 18:16:52 -07:00
iabhi4 dc27bccb45 feat(proxy): Assign default budget to auto-generated JWT teams 2025-09-14 12:04:43 -07:00
Ishaan Jaff 37a599932d [Bug Fix] Virtual keys with llm_api type cause Internal Server Error when using /anthropic/* and other llm passthrough routes (#14046)
* fix route checks passthrough_routes_wildcard

* refactor check_route_access

* test_virtual_key_llm_api_route_includes_passthrough_prefix
2025-08-28 15:14:09 -07:00
Krrish Dholakia 34ad646101 fix(auth_checks.py): handle both flows + add unit tests 2025-08-20 16:42:08 -07:00
Ishaan Jaff 086621e3d3 test_handle_jwt.py 2025-08-13 17:27:50 -07:00
Ishaan Jaff 8e76f8e7d0 [Feat] Team Member Rate Limits + Support for using with JWT Auth (#13601)
* fix - assign tpm/rpm limit onJWT

* add team member rpm/tpm limits

* update - rate limiter v3 with team member rate limits

* update utils

* fixes for LiteLLM_BudgetTable

* undo change

* add TeamMemberBudgetHandler

* add _process_team_member_budget_data

* add get_team_membership

* add safe_get_team_member_rpm_limit and safe_get_team_member_tpm_limit

* LiteLLM_TeamMembership

* add LiteLLM_TeamMembership rate limit for JWTs

* fix

* tests
2025-08-13 17:21:36 -07:00
Ishaan Jaff f60a9cf908 [Bug]: Fix JWTs access not working with model groups (#13474)
* fix can_team_access_model

* test_find_team_with_model_access_model_group
2025-08-09 16:14:51 -07:00
Alexander Yastrebov 825923e7be litellm/proxy: preserve model order of /v1/models and /model_group/info (#13178)
Closes #12644

Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
2025-08-02 08:57:38 -07:00
Cole McIntosh 8826e02a98 feat: Add dot notation support for all JWT fields (#13013)
* feat: Add dot notation support for all JWT fields

- Updated all JWT field access methods to use get_nested_value for dot notation support
- Enhanced get_team_id to properly handle team_id_default fallback with nested fields
- Added comprehensive unit tests for nested JWT field access and edge cases
- Updated documentation to reflect dot notation support across all JWT fields
- Maintains full backward compatibility with existing flat field configurations

Supported fields with dot notation:
- team_id_jwt_field, team_ids_jwt_field, user_id_jwt_field
- user_email_jwt_field, org_id_jwt_field, object_id_jwt_field
- end_user_id_jwt_field (roles_jwt_field was already supported)

Example: user_id_jwt_field: 'user.sub' accesses token['user']['sub']

* fix: Add type annotations to resolve mypy errors

- Add explicit type annotation for team_ids variable in get_team_ids_from_jwt
- Add type ignore comment for sentinel object return in get_team_id
- Resolves mypy errors while maintaining functionality

* fix: Resolve mypy type error in get_team_ids_from_jwt

- Remove explicit List[str] type annotation that conflicts with get_nested_value return type
- Simplify return logic to use 'team_ids or []' ensuring always returns List[str]
- Fixes: Incompatible types in assignment (expression has type 'list[str] | None', variable has type 'list[str]')

* fix: Add proper type annotation for team_ids variable

- Use Optional[List[str]] type annotation to satisfy mypy requirements
- Resolves: Need type annotation for 'team_ids' [var-annotated]
- Maintains functionality while ensuring type safety

* refactor: remove outdated JWT unit tests and consolidate JWT-related functionality

- Deleted the test_jwt.py file as it contained outdated and redundant tests.
- Consolidated JWT-related tests into test_handle_jwt.py for better organization and maintainability.
- Updated tests to ensure proper functionality of JWT handling, including token validation and role mapping.
- Enhanced test coverage for JWT field access and nested claims handling.

* test: add comprehensive unit tests for JWT authentication

- Introduced a new test file `test_jwt.py` containing unit tests for JWT authentication.
- Implemented tests for loading configuration with custom role names, validating tokens, and handling team tokens.
- Enhanced coverage for JWT field access, nested claims, and role-based access control.
- Added fixtures for Prisma client and public JWT key generation to support testing.
- Ensured proper handling of valid and invalid tokens, including user and team scenarios.

* revert test_handle_jwt.py

* rename file

* test: remove outdated JWT nesting tests and add new nested field access tests

- Deleted the `test_jwt_nesting.py` file as it contained outdated tests.
- Introduced new tests in `test_handle_jwt.py` to verify nested JWT field access.
- Enhanced coverage for accessing nested values using dot notation and ensured backward compatibility with flat field names.
- Added tests for handling missing nested paths and appropriate default values.
- Improved handling of metadata prefixes in nested field access.

* restore file
2025-07-29 16:51:17 -07:00
Krish Dholakia eed0cf2ee9 UI SSO - fix reset env var when ui_access_mode is updated (#13011)
* fix(ui_sso.py): fix form action on login when sso is enabled

* fix: multiple fixes - fix resetting env var in proxy config + add key to exception message on key decryption

fixes issue where env vars would be reset

* refactor(proxy_server.py): cleanup redundant decryption line

* fix(proxy_setting_endpoints.py): show saved ui access mode

allows admin to know what they'd previously stored in db
2025-07-26 11:42:41 -07:00