fix: enforce authentication on unauthenticated endpoints and harden auth_must#1294
Open
eren-karakus0 wants to merge 2 commits intoeigent-ai:mainfrom
Open
Conversation
…uth_must
- snapshot listing (GET /snapshots): add missing auth_must dependency and
filter results by authenticated user's ID to prevent cross-user data leak
- snapshot get (GET /snapshots/{id}): add ownership check to prevent IDOR —
authenticated users could previously read any user's snapshots by ID
- share link creation (POST /share): add auth_must dependency to prevent
unauthenticated users from generating share tokens for arbitrary task IDs
- auth_must: add explicit None check before JWT decode — oauth2_scheme uses
auto_error=False which returns None instead of 401 when no token is provided,
causing auth_must to pass None to jwt.decode() and produce an opaque error
bytecii
reviewed
Feb 19, 2026
Collaborator
bytecii
left a comment
bytecii
left a comment
There was a problem hiding this comment.
In general LGTM, left some comments.
server/tests/test_auth.py
Outdated
|
|
||
| def test_create_share_link_requires_auth_dependency(self): | ||
| """POST /share must include auth_must as a dependency.""" | ||
| from app.controller.chat.share_controller import create_share_link |
Collaborator
There was a problem hiding this comment.
Move these imports at the top
server/tests/test_auth.py
Outdated
| assert "auth" in param_names | ||
|
|
||
|
|
||
| class TestShareLinkAuthRequirement: |
Collaborator
There was a problem hiding this comment.
Let's remove the class and just use def test_xxx
- Move share_controller imports to module top level - Replace TestShareLinkAuthRequirement class with plain test functions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related Issue
Closes #1293
Description
This PR fixes 4 authentication and authorization vulnerabilities in the server layer, discovered during a systematic audit of endpoint security.
1. CRITICAL — Unauthenticated Snapshot Listing (
server/app/controller/chat/snapshot_controller.py)Before:
GET /chat/snapshotshad noauth_mustdependency. Any unauthenticated request could list ALL snapshots across ALL users, leakingapi_task_id,image_path, andbrowser_urldata.After: Added
auth: Auth = Depends(auth_must)and aChatSnapshot.user_id == user_idfilter. Users can now only list their own snapshots. This aligns with the existing behavior of all other snapshot CRUD endpoints.2. HIGH — Snapshot IDOR in Get Endpoint (
server/app/controller/chat/snapshot_controller.py)Before:
GET /chat/snapshots/{snapshot_id}required authentication but did NOT verify that the snapshot belonged to the authenticated user. Any authenticated user could read any other user's snapshots by iterating IDs.After: Added an ownership check:
if snapshot.user_id != user_id: raise HTTPException(403). This is consistent with theupdateanddeleteendpoints which already had this check.3. HIGH — Unauthenticated Share Link Creation (
server/app/controller/chat/share_controller.py)Before:
POST /chat/sharehad no auth dependency. Anyone could generate share tokens for arbitrarytask_idvalues without authentication.After: Added
auth: Auth = Depends(auth_must)and includeduser_idin audit logs. Read endpoints (GET /share/info/{token},GET /share/playback/{token}) intentionally remain public since they use the share token itself for authorization.4. HIGH —
auth_mustSilent Bypass (server/app/component/auth.py)Before:
auth_mustdepended onoauth2_schemewhich hasauto_error=False. When no token was provided, the scheme returnedNoneinstead of raising 401.auth_mustthen passedNonetojwt.decode(), which threw an opaqueInvalidTokenError("Could not validate credentials").After: Added an explicit
Nonecheck at the top ofauth_mustwith a clear "Authentication required" error message. The type annotation was also updated tostr | Noneto accurately reflect whatoauth2_schemereturns withauto_error=False.Testing Evidence (REQUIRED)
Tests added (
server/tests/test_auth.py):TestAuthMustNoneTokenHandling (3 tests):
auth_mustacceptsNonetype annotationauth_mustraisesTokenExceptiononNonetokenjwt.decodeis never called withNoneinputTestSnapshotEndpointAuthRequirements (5 tests):
list,get,create,update,delete) haveauthparameterTestShareLinkAuthRequirement (2 tests):
create_share_linkrequiresauthparameterget_share_info,share_playback) correctly use token-based auth (not user auth)What is the purpose of this pull request?
Contribution Guidelines Acknowledgement