API TOKEN client side verification missing.

Question

API TOKEN client side verification missing.

asingh9530 opened this issue 9 months ago · 1 comments

Hi Team,

I wanted to know why there is no token check at client side, for context I was running this sample here but I was exporting API TOKEN incorrectly and as soon as I ran following replicate.run it throws an error ReplicateError: You did not pass an authentication token which is expected but why there is no warning or type error raised in client.py specifically in following code

    if (
        api_token := api_token or os.environ.get("REPLICATE_API_TOKEN")
    ) and api_token != "":
        headers["Authorization"] = f"Token {api_token}"

it could have been something like this

if (
        api_token := api_token or os.environ.get("REPLICATE_API_TOKEN")
    ) and api_token != "" and len(api_token) == TOKEN_LENGTH:
        headers["Authorization"] = f"Token {api_token}"
else:
        raise ValueError("Invalid token provided check if token present")

Token verification should happen at client's end only authentication should be done at server's end. if this is a design choice would like to know reason if this is something you want to fix happy to raise PR since this is a very small change.

Answer 1 · 2023-12-11T16:52:46.000Z

Hi @asingh9530. We delegate the auth check to the server because the client library can be used with a custom base URL. For example, you could proxy Replicate's API, and add an auth header on outgoing requests, in which case the API token isn't required.