Refactor/Update endpoint routing configuration

[yau-wd]

Description

• Manage endpoints that should not accept API key authentication.
• Improve endpoint validation logic in upsertVector utility to prevent authorization bypass.

Test

Upsert Vector

Correct Workspace API Key	UI Upsert	Wrong Workspace API Key

Endpoints Disallow API Keys

[gemini-code-assist]

Summary of Changes

Hello @yau-wd, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the endpoint routing configuration to significantly improve security and access control across the application. By introducing a mechanism to blacklist certain URLs for API key access and implementing strict workspace-based authorization for vector upsert operations, the changes aim to prevent unauthorized data manipulation and access to sensitive functionalities. These updates streamline the authentication flow and reinforce the integrity of API interactions.

Highlights

• Enhanced API Key Security: Introduced a blacklist for API key access to specific endpoints, starting with /api/v1/nvidia-nim, to prevent unauthorized usage.
• Restricted Vector Upsert Access: Implemented an authorization check for vector upsert operations, ensuring that users can only perform these actions within their currently active workspace.
• Endpoint Whitelist Updates: Modified the WHITELIST_URLS to remove /api/v1/vector/upsert/ and /api/v1/nvidia-nim, aligning with the new security measures.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request refactors endpoint routing configurations, primarily to enhance security by enforcing authentication on previously whitelisted endpoints like vector upsert. A key change is the introduction of an authorization check in upsertVector.ts to ensure the user's active workspace matches the chatflow's workspace.

While this is a valuable security improvement, I've identified a critical issue with the implementation. The new authorization check will likely break functionality for UI-authenticated users because the main authentication middleware does not seem to handle their session type for this newly protected route. This will cause req.user to be undefined, leading to failed authorization. My review includes a detailed comment on this issue.