Short-circuit API rate limiter for unauthenticated user

Calls by unauthenticated users were failing at API rate limiter as it failed to access user info object. This is a bug. API rate limiter should short-circuit for unauthenicated users so a proper Forbidden response can be returned by API Add regression test to verify that unauthenticated users get 403 response when calling the /chat API endpoint
2026-03-07 13:23:15 +00:00 · 2024-01-11 22:21:57 +05:30
parent b1269fdad2
commit ba99089a12
3 changed files with 43 additions and 30 deletions
--- a/src/khoj/routers/helpers.py
+++ b/src/khoj/routers/helpers.py
@@ -299,6 +299,11 @@ class ApiUserRateLimiter:
        self.cache: dict[str, list[float]] = defaultdict(list)

    def __call__(self, request: Request):
+        # Rate limiting is disabled if user unauthenticated.
+        # Other systems handle authentication
+        if not request.user.is_authenticated:
+            return
+
        user: KhojUser = request.user.object
        subscribed = has_required_scope(request, ["premium"])
        user_requests = self.cache[user.uuid]