Ratelimit text to speech model. Validate share chat url domain

- Do not log auth error message on server when Resend setup as Magic links for sign-in are now supported
2026-03-02 21:19:12 +00:00 · 2024-07-06 12:53:19 +05:30
parent b334db0fca
commit 9bdb48807b
2 changed files with 25 additions and 8 deletions
--- a/src/khoj/routers/api_chat.py
+++ b/src/khoj/routers/api_chat.py
@@ -13,6 +13,7 @@ from starlette.authentication import requires
 from starlette.websockets import WebSocketDisconnect
 from websockets import ConnectionClosedOK

+from khoj.app.settings import ALLOWED_HOSTS
 from khoj.database.adapters import (
    ConversationAdapters,
    DataStoreAdapters,
@@ -189,7 +190,17 @@ async def sendfeedback(request: Request, data: FeedbackData):

@api_chat.post("/speech")
@requires(["authenticated", "premium"])
-async def text_to_speech(request: Request, common: CommonQueryParams, text: str):
+async def text_to_speech(
+    request: Request,
+    common: CommonQueryParams,
+    text: str,
+    rate_limiter_per_minute=Depends(
+        ApiUserRateLimiter(requests=5, subscribed_requests=20, window=60, slug="chat_minute")
+    ),
+    rate_limiter_per_day=Depends(
+        ApiUserRateLimiter(requests=5, subscribed_requests=300, window=60 * 60 * 24, slug="chat_day")
+    ),
+) -> Response:
    voice_model = await ConversationAdapters.aget_voice_model_config(request.user.object)

    params = {"text_to_speak": text}
@@ -386,17 +397,19 @@ def duplicate_chat_history_public_conversation(
    conversation_id: int,
 ):
    user = request.user.object
+    domain = request.headers.get("host")
+    scheme = request.url.scheme
+
+    # Throw unauthorized exception if domain not in ALLOWED_HOSTS
+    host_domain = domain.split(":")[0]
+    if host_domain not in ALLOWED_HOSTS:
+        raise HTTPException(status_code=401, detail="Unauthorized domain")

    # Duplicate Conversation History to Public Conversation
    conversation = ConversationAdapters.get_conversation_by_user(user, request.user.client_app, conversation_id)
-
    public_conversation = ConversationAdapters.make_public_conversation_copy(conversation)
-
    public_conversation_url = PublicConversationAdapters.get_public_conversation_url(public_conversation)

-    domain = request.headers.get("host")
-    scheme = request.url.scheme
-
    update_telemetry_state(
        request=request,
        telemetry_type="api",
--- a/src/khoj/routers/auth.py
+++ b/src/khoj/routers/auth.py
@@ -42,8 +42,12 @@ if not state.anonymous_mode:
        from google.oauth2 import id_token
    except ImportError:
        missing_requirements += ["Install the Khoj production package with `pip install khoj-assistant[prod]`"]
-    if not os.environ.get("GOOGLE_CLIENT_ID") or not os.environ.get("GOOGLE_CLIENT_SECRET"):
-        missing_requirements += ["Set your GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET as environment variables"]
+    if not os.environ.get("RESEND_API_KEY") and (
+        not os.environ.get("GOOGLE_CLIENT_ID") or not os.environ.get("GOOGLE_CLIENT_SECRET")
+    ):
+        missing_requirements += [
+            "Set your RESEND_API_KEY or GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET as environment variables"
+        ]
    if missing_requirements:
        requirements_string = "\n   - " + "\n   - ".join(missing_requirements)
        error_msg = f"🚨 Start Khoj with --anonymous-mode flag or to enable authentication:{requirements_string}"