BerriAI
diff --git a/‎docs/my-website/docs/proxy/config_settings.md‎
Lines changed: 2 additions & 0 deletions b/‎docs/my-website/docs/proxy/config_settings.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎litellm/proxy/db/create_views.py‎
Lines changed: 57 additions & 28 deletions b/‎litellm/proxy/db/create_views.py‎
Lines changed: 57 additions & 28 deletions
diff --git a/‎litellm/proxy/db/db_transaction_queue/spend_log_cleanup.py‎
Lines changed: 12 additions & 1 deletion b/‎litellm/proxy/db/db_transaction_queue/spend_log_cleanup.py‎
Lines changed: 12 additions & 1 deletion
diff --git a/‎litellm/proxy/management_helpers/team_member_permission_checks.py‎
Lines changed: 13 additions & 4 deletions b/‎litellm/proxy/management_helpers/team_member_permission_checks.py‎
Lines changed: 13 additions & 4 deletions
diff --git a/‎litellm/proxy/proxy_server.py‎
Lines changed: 69 additions & 16 deletions b/‎litellm/proxy/proxy_server.py‎
Lines changed: 69 additions & 16 deletions
@@ -804,6 +804,8 @@ router_settings:
 | LITELLM_ASSETS_PATH | Path to directory for UI assets and logos. Used when running with read-only filesystem (e.g., Kubernetes). Default is `/var/lib/litellm/assets` in Docker.
 | LITELLM_BLOG_POSTS_URL | Custom URL for fetching LiteLLM blog posts JSON. Default is the GitHub main branch URL
 | LITELLM_CLI_JWT_EXPIRATION_HOURS | Expiration time in hours for CLI-generated JWT tokens. Default is 24 hours
+| LITELLM_CORS_ALLOW_CREDENTIALS | Set to `true` to explicitly allow credentials in CORS responses. When not set, credentials are disabled automatically if `LITELLM_CORS_ORIGINS` is `*` (wildcard) to prevent the browser security misconfiguration of reflecting any origin with credentials
+| LITELLM_CORS_ORIGINS | Comma-separated list of allowed CORS origins (e.g. `https://app.example.com,https://admin.example.com`). Defaults to `*` (all origins) when not set
 | LITELLM_DD_AGENT_HOST | Hostname or IP of DataDog agent for LiteLLM-specific logging. When set, logs are sent to agent instead of direct API
 | LITELLM_DEPLOYMENT_ENVIRONMENT | Environment name for the deployment (e.g., "production", "staging"). Used as a fallback when OTEL_ENVIRONMENT_NAME is not set. Sets the `environment` tag in telemetry data
 | LITELLM_DETAILED_TIMING | When true, adds detailed per-phase timing headers to responses (`x-litellm-timing-{pre-processing,llm-api,post-processing,message-copy}-ms`). Default is false. See [latency overhead docs](../troubleshoot/latency_overhead.md)
 
@@ -4,6 +4,12 @@
 
 _db = Any
 
+# Markers that indicate a view/relation does not yet exist in the database.
+# Keeping these in one place avoids repeating the check across all view blocks
+# and prevents overly broad matches (e.g. bare 'undefined' would also match
+# 'undefined function' or 'column undefined_col referenced in query').
+_VIEW_NOT_FOUND_MARKERS = ("does not exist", "no such table", "undefined table")
+
 
 async def create_missing_views(db: _db):  # noqa: PLR0915
     """
@@ -18,14 +24,17 @@ async def create_missing_views(db: _db):  # noqa: PLR0915
 
     If the view doesn't exist, one will be created.
     """
+
     try:
         # Try to select one row from the view
         await db.query_raw("""SELECT 1 FROM "LiteLLM_VerificationTokenView" LIMIT 1""")
-        print("LiteLLM_VerificationTokenView Exists!")  # noqa
-    except Exception:
+        verbose_logger.debug("LiteLLM_VerificationTokenView Exists!")
+    except Exception as e:
+        error_msg = str(e).lower()
+        if not any(marker in error_msg for marker in _VIEW_NOT_FOUND_MARKERS):
+            raise
         # If an error occurs, the view does not exist, so create it
-        await db.execute_raw(
-            """
+        await db.execute_raw("""
                 CREATE VIEW "LiteLLM_VerificationTokenView" AS
                 SELECT
                 v.*,
@@ -37,15 +46,17 @@ async def create_missing_views(db: _db):  # noqa: PLR0915
                 FROM "LiteLLM_VerificationToken" v
                 LEFT JOIN "LiteLLM_TeamTable" t ON v.team_id = t.team_id
                 LEFT JOIN "LiteLLM_ProjectTable" p ON v.project_id = p.project_id;
-            """
-        )
+            """)
 
-        print("LiteLLM_VerificationTokenView Created!")  # noqa
+        verbose_logger.debug("LiteLLM_VerificationTokenView Created!")
 
     try:
         await db.query_raw("""SELECT 1 FROM "MonthlyGlobalSpend" LIMIT 1""")
-        print("MonthlyGlobalSpend Exists!")  # noqa
-    except Exception:
+        verbose_logger.debug("MonthlyGlobalSpend Exists!")
+    except Exception as e:
+        error_msg = str(e).lower()
+        if not any(marker in error_msg for marker in _VIEW_NOT_FOUND_MARKERS):
+            raise
         sql_query = """
         CREATE OR REPLACE VIEW "MonthlyGlobalSpend" AS 
         SELECT
@@ -60,12 +71,15 @@ async def create_missing_views(db: _db):  # noqa: PLR0915
         """
         await db.execute_raw(query=sql_query)
 
-        print("MonthlyGlobalSpend Created!")  # noqa
+        verbose_logger.debug("MonthlyGlobalSpend Created!")
 
     try:
         await db.query_raw("""SELECT 1 FROM "Last30dKeysBySpend" LIMIT 1""")
-        print("Last30dKeysBySpend Exists!")  # noqa
-    except Exception:
+        verbose_logger.debug("Last30dKeysBySpend Exists!")
+    except Exception as e:
+        error_msg = str(e).lower()
+        if not any(marker in error_msg for marker in _VIEW_NOT_FOUND_MARKERS):
+            raise
         sql_query = """
         CREATE OR REPLACE VIEW "Last30dKeysBySpend" AS
         SELECT 
@@ -88,12 +102,15 @@ async def create_missing_views(db: _db):  # noqa: PLR0915
         """
         await db.execute_raw(query=sql_query)
 
-        print("Last30dKeysBySpend Created!")  # noqa
+        verbose_logger.debug("Last30dKeysBySpend Created!")
 
     try:
         await db.query_raw("""SELECT 1 FROM "Last30dModelsBySpend" LIMIT 1""")
-        print("Last30dModelsBySpend Exists!")  # noqa
-    except Exception:
+        verbose_logger.debug("Last30dModelsBySpend Exists!")
+    except Exception as e:
+        error_msg = str(e).lower()
+        if not any(marker in error_msg for marker in _VIEW_NOT_FOUND_MARKERS):
+            raise
         sql_query = """
         CREATE OR REPLACE VIEW "Last30dModelsBySpend" AS
         SELECT
@@ -111,11 +128,14 @@ async def create_missing_views(db: _db):  # noqa: PLR0915
         """
         await db.execute_raw(query=sql_query)
 
-        print("Last30dModelsBySpend Created!")  # noqa
+        verbose_logger.debug("Last30dModelsBySpend Created!")
     try:
         await db.query_raw("""SELECT 1 FROM "MonthlyGlobalSpendPerKey" LIMIT 1""")
-        print("MonthlyGlobalSpendPerKey Exists!")  # noqa
-    except Exception:
+        verbose_logger.debug("MonthlyGlobalSpendPerKey Exists!")
+    except Exception as e:
+        error_msg = str(e).lower()
+        if not any(marker in error_msg for marker in _VIEW_NOT_FOUND_MARKERS):
+            raise
         sql_query = """
             CREATE OR REPLACE VIEW "MonthlyGlobalSpendPerKey" AS 
             SELECT
@@ -132,13 +152,16 @@ async def create_missing_views(db: _db):  # noqa: PLR0915
         """
         await db.execute_raw(query=sql_query)
 
-        print("MonthlyGlobalSpendPerKey Created!")  # noqa
+        verbose_logger.debug("MonthlyGlobalSpendPerKey Created!")
     try:
         await db.query_raw(
             """SELECT 1 FROM "MonthlyGlobalSpendPerUserPerKey" LIMIT 1"""
         )
-        print("MonthlyGlobalSpendPerUserPerKey Exists!")  # noqa
-    except Exception:
+        verbose_logger.debug("MonthlyGlobalSpendPerUserPerKey Exists!")
+    except Exception as e:
+        error_msg = str(e).lower()
+        if not any(marker in error_msg for marker in _VIEW_NOT_FOUND_MARKERS):
+            raise
         sql_query = """
             CREATE OR REPLACE VIEW "MonthlyGlobalSpendPerUserPerKey" AS 
             SELECT
@@ -157,12 +180,15 @@ async def create_missing_views(db: _db):  # noqa: PLR0915
         """
         await db.execute_raw(query=sql_query)
 
-        print("MonthlyGlobalSpendPerUserPerKey Created!")  # noqa
+        verbose_logger.debug("MonthlyGlobalSpendPerUserPerKey Created!")
 
     try:
         await db.query_raw("""SELECT 1 FROM "DailyTagSpend" LIMIT 1""")
-        print("DailyTagSpend Exists!")  # noqa
-    except Exception:
+        verbose_logger.debug("DailyTagSpend Exists!")
+    except Exception as e:
+        error_msg = str(e).lower()
+        if not any(marker in error_msg for marker in _VIEW_NOT_FOUND_MARKERS):
+            raise
         sql_query = """
         CREATE OR REPLACE VIEW "DailyTagSpend" AS
         SELECT
@@ -175,12 +201,15 @@ async def create_missing_views(db: _db):  # noqa: PLR0915
         """
         await db.execute_raw(query=sql_query)
 
-        print("DailyTagSpend Created!")  # noqa
+        verbose_logger.debug("DailyTagSpend Created!")
 
     try:
         await db.query_raw("""SELECT 1 FROM "Last30dTopEndUsersSpend" LIMIT 1""")
-        print("Last30dTopEndUsersSpend Exists!")  # noqa
-    except Exception:
+        verbose_logger.debug("Last30dTopEndUsersSpend Exists!")
+    except Exception as e:
+        error_msg = str(e).lower()
+        if not any(marker in error_msg for marker in _VIEW_NOT_FOUND_MARKERS):
+            raise
         sql_query = """
         CREATE VIEW "Last30dTopEndUsersSpend" AS
         SELECT end_user, COUNT(*) AS total_events, SUM(spend) AS total_spend
@@ -193,7 +222,7 @@ async def create_missing_views(db: _db):  # noqa: PLR0915
         """
         await db.execute_raw(query=sql_query)
 
-        print("Last30dTopEndUsersSpend Created!")  # noqa
+        verbose_logger.debug("Last30dTopEndUsersSpend Created!")
 
     return
 
 
@@ -82,7 +82,7 @@ async def _delete_old_logs(
                 break
             # Step 1: Find logs and delete them in one go without fetching to application
             # Delete in batches, limited by self.batch_size
-            deleted_count = await prisma_client.db.execute_raw(
+            deleted_result = await prisma_client.db.execute_raw(
                 """
                 DELETE FROM "LiteLLM_SpendLogs"
                 WHERE "request_id" IN (
@@ -94,6 +94,17 @@ async def _delete_old_logs(
                 cutoff_date,
                 self.batch_size,
             )
+
+            deleted_count = 0
+            if isinstance(deleted_result, int):
+                deleted_count = deleted_result
+            else:
+                verbose_proxy_logger.error(
+                    f"Unexpected execute_raw return type for spend log cleanup: {type(deleted_result)}; "
+                    "aborting cleanup to avoid infinite loop"
+                )
+                break
+
             verbose_proxy_logger.info(f"Deleted {deleted_count} logs in this batch")
 
             if deleted_count == 0:
 
@@ -98,11 +98,20 @@ async def can_team_member_execute_key_management_endpoint(
         )
 
         # 5. Check if the team member has permissions for the endpoint
-        TeamMemberPermissionChecks.does_team_member_have_permissions_for_endpoint(
-            team_member_object=key_assigned_user_in_team,
-            team_table=team_table,
-            route=route,
+        has_permission = (
+            TeamMemberPermissionChecks.does_team_member_have_permissions_for_endpoint(
+                team_member_object=key_assigned_user_in_team,
+                team_table=team_table,
+                route=route,
+            )
         )
+        if not has_permission:
+            raise ProxyException(
+                message=f"User {user_api_key_dict.user_id} does not belong to team {team_table.team_id}. Team-scoped key management endpoints can only be used for keys in your own team.",
+                type=ProxyErrorTypes.team_member_permission_error,
+                param=route,
+                code=401,
+            )
 
     @staticmethod
     def does_team_member_have_permissions_for_endpoint(
 
@@ -54,7 +54,7 @@
     LITELLM_SETTINGS_SAFE_DB_OVERRIDES,
     LITELLM_UI_ALLOW_HEADERS,
     LITELLM_UI_SESSION_DURATION,
-    DAILY_TAG_SPEND_BATCH_MULTIPLIER
+    DAILY_TAG_SPEND_BATCH_MULTIPLIER,
 )
 from litellm.litellm_core_utils.litellm_logging import (
     _init_custom_logger_compatible_class,
@@ -1139,7 +1139,54 @@ async def openai_exception_handler(request: Request, exc: ProxyException):
 
 
 router = APIRouter()
-origins = ["*"]
+
+
+def _get_cors_config(
+    cors_origins_env: Optional[str] = None,
+    cors_credentials_env: Optional[str] = None,
+):
+    """
+    Compute CORS allowed origins and credentials flag from environment variables.
+
+    Extracted into a function so it can be unit-tested without reloading the module.
+
+    Args:
+        cors_origins_env: Value of LITELLM_CORS_ORIGINS (defaults to os.getenv).
+        cors_credentials_env: Value of LITELLM_CORS_ALLOW_CREDENTIALS (defaults to os.getenv).
+
+    Returns:
+        Tuple[List[str], bool]: (origins, allow_credentials)
+    """
+    _origins_raw = (
+        cors_origins_env
+        if cors_origins_env is not None
+        else os.getenv("LITELLM_CORS_ORIGINS")
+    )
+    if _origins_raw is None or _origins_raw.strip() == "":
+        computed_origins = ["*"]
+    else:
+        computed_origins = [o.strip() for o in _origins_raw.split(",") if o.strip()]
+
+    # Disable credentials by default when wildcard origins are used — combining
+    # allow_origins=["*"] with allow_credentials=True causes Starlette to reflect
+    # the incoming Origin header, allowing any site to make credentialed requests.
+    # Set LITELLM_CORS_ALLOW_CREDENTIALS=true to explicitly restore the old behaviour
+    # (e.g. for non-browser clients that relied on the Access-Control-Allow-Credentials
+    # header being present regardless of origin).
+    _credentials_raw = (
+        cors_credentials_env
+        if cors_credentials_env is not None
+        else os.getenv("LITELLM_CORS_ALLOW_CREDENTIALS")
+    )
+    if _credentials_raw is not None:
+        computed_credentials = _credentials_raw.strip().lower() == "true"
+    else:
+        computed_credentials = "*" not in computed_origins
+
+    return computed_origins, computed_credentials
+
+
+origins, allow_cors_credentials = _get_cors_config()
 
 
 # get current directory
@@ -1466,7 +1513,7 @@ def _restructure_ui_html_files(ui_root: str) -> None:
 app.add_middleware(
     CORSMiddleware,
     allow_origins=origins,
-    allow_credentials=True,
+    allow_credentials=allow_cors_credentials,
     allow_methods=["*"],
     allow_headers=["*"],
     expose_headers=LITELLM_UI_ALLOW_HEADERS,
@@ -2315,9 +2362,13 @@ def _write_health_state_to_router_cache(
 
             exception_status = getattr(original_exception, "status_code", 500)
 
-            if llm_router.health_check_ignore_transient_errors and exception_status in (
-                429,
-                408,
+            if (
+                llm_router.health_check_ignore_transient_errors
+                and exception_status
+                in (
+                    429,
+                    408,
+                )
             ):
                 continue
 
@@ -6286,7 +6337,9 @@ async def initialize_scheduled_background_jobs(  # noqa: PLR0915
 
         ### UPDATE DAILY TAG SPEND (separate scheduler job with longer interval) ###
         ## Reduces QPS as there are more tags for a single request
-        tag_spend_update_interval = int(batch_writing_interval * DAILY_TAG_SPEND_BATCH_MULTIPLIER)
+        tag_spend_update_interval = int(
+            batch_writing_interval * DAILY_TAG_SPEND_BATCH_MULTIPLIER
+        )
         from litellm.proxy.utils import update_daily_tag_spend
 
         scheduler.add_job(
@@ -7131,9 +7184,9 @@ async def chat_completion(  # noqa: PLR0915
             hasattr(user_api_key_dict, "organization_alias")
             and user_api_key_dict.organization_alias is not None
         ):
-            data["metadata"]["user_api_key_org_alias"] = (
-                user_api_key_dict.organization_alias
-            )
+            data["metadata"][
+                "user_api_key_org_alias"
+            ] = user_api_key_dict.organization_alias
         if (
             hasattr(user_api_key_dict, "agent_id")
             and user_api_key_dict.agent_id is not None
@@ -7312,9 +7365,9 @@ async def completion(  # noqa: PLR0915
                 hasattr(user_api_key_dict, "organization_alias")
                 and user_api_key_dict.organization_alias is not None
             ):
-                data["metadata"]["user_api_key_org_alias"] = (
-                    user_api_key_dict.organization_alias
-                )
+                data["metadata"][
+                    "user_api_key_org_alias"
+                ] = user_api_key_dict.organization_alias
             if (
                 hasattr(user_api_key_dict, "agent_id")
                 and user_api_key_dict.agent_id is not None
@@ -7561,9 +7614,9 @@ async def embeddings(  # noqa: PLR0915
                 hasattr(user_api_key_dict, "organization_alias")
                 and user_api_key_dict.organization_alias is not None
             ):
-                data["metadata"]["user_api_key_org_alias"] = (
-                    user_api_key_dict.organization_alias
-                )
+                data["metadata"][
+                    "user_api_key_org_alias"
+                ] = user_api_key_dict.organization_alias
             if (
                 hasattr(user_api_key_dict, "agent_id")
                 and user_api_key_dict.agent_id is not None