From 88bfeee23402ee5048f5da02136f2ebcefdd377c Mon Sep 17 00:00:00 2001
From: kenwoodjw <blackxin55+@gmail.com>
Date: Mon, 8 Dec 2025 10:22:57 +0800
Subject: [PATCH] feat: allow admin api key to bypass csrf validation (#29139)

Signed-off-by: kenwoodjw <blackxin55+@gmail.com>
---
 api/libs/token.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/api/libs/token.py b/api/libs/token.py
index 098ff958da..a34db70764 100644
--- a/api/libs/token.py
+++ b/api/libs/token.py
@@ -189,6 +189,11 @@ def build_force_logout_cookie_headers() -> list[str]:
 def check_csrf_token(request: Request, user_id: str):
     # some apis are sent by beacon, so we need to bypass csrf token check
     # since these APIs are post, they are already protected by SameSite: Lax, so csrf is not required.
+    if dify_config.ADMIN_API_KEY_ENABLE:
+        auth_token = extract_access_token(request)
+        if auth_token and auth_token == dify_config.ADMIN_API_KEY:
+            return
+
     def _unauthorized():
         raise Unauthorized("CSRF token is missing or invalid.")