fix: require authentication on validate-api-key endpoint (#481)

* fix: require authentication on validate-api-key endpoint

The POST /api/validate-api-key endpoint was missing the @token_required
decorator, allowing unauthenticated users to proxy LLM API calls through
the server. Add @token_required to match all other POST endpoints.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: suppress pylint unused-argument for decorated request param

The @token_required decorator consumes the request argument before the
function body, so pylint incorrectly flags it as unused.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add 401 response to OpenAPI docs for validate-api-key

Add responses={401: UNAUTHORIZED_RESPONSE} to match the convention
used by all other @token_required endpoints.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: gkorland

api/routes/settings.py

@@ -6,6 +6,9 @@
 from pydantic import BaseModel
 from litellm import completion
 
+from api.auth.user_management import token_required
+from api.routes.tokens import UNAUTHORIZED_RESPONSE
+
 settings_router = APIRouter(tags=["Settings"])
 
 
@@ -21,14 +24,14 @@ class ValidateKeyRequest(BaseModel):
     model: str = "gpt-3.5-turbo"
 
 
-@settings_router.post("/validate-api-key")
-async def validate_api_key(request: Request, data: ValidateKeyRequest):  # pylint: disable=too-many-return-statements
+@settings_router.post("/validate-api-key", responses={401: UNAUTHORIZED_RESPONSE})
+@token_required
+async def validate_api_key(request: Request, data: ValidateKeyRequest):  # pylint: disable=too-many-return-statements,unused-argument
     """
     Validate an AI provider API key by making a simple test request.
     This endpoint does not store the key, it only validates it.
     Supports: openai, google, anthropic
     """
-    _ = request
     api_key = data.api_key.strip()
     vendor = data.vendor.lower()
     model = data.model