fix: add API key auth gate on all mutating routes via before_request#95
fix: add API key auth gate on all mutating routes via before_request#95Joshua-Medvinsky wants to merge 1 commit into
Conversation
Signed-off-by: FailSafe Researcher <joshua@getfailsafe.com>
b7c4ec0 to
2e5c591
Compare
|
Hi maintainers — friendly follow-up on this security hardening PR. It has been open for a while with no reviewer feedback, so I wanted to resurface it. Happy to rebase, adjust the approach, add tests, or split the change differently if that would make review easier. Thanks! |
|
Hi — this security PR has been open for 40 days without maintainer response. Per our responsible disclosure policy, I'll be closing this PR shortly. I may resubmit via a bounty platform if appropriate. Thanks for your time. |
|
Closing per responsible disclosure policy: 35+ days open with no maintainer response. May resubmit via bounty platform. |
|
This security fix has been open for 30+ days. Per our responsible disclosure timeline, we'd like to move toward resolution. We can: (1) rebase and adjust the patch, (2) reach out via security@ email, or (3) resubmit via a bounty platform. Please let us know your preference. |
Summary
The Flask application exposes all endpoints — including message handling (
/a2aPOST), streaming, task creation/cancellation, and the AgentFlow management API — with no authentication. Any unauthenticated HTTP client can invoke agent logic, create/cancel tasks, spawn subprocesses, and read all agent outputs. The server defaults to binding on0.0.0.0:5000.Fix
Add a
before_requesthook that checksA2A_API_KEYenv var on all mutating routes (POST, PUT, DELETE, PATCH). If the key is set, requests must include it as aBearertoken in theAuthorizationheader. If the key is not set, the server operates in open-access dev mode (backwards compatible).Test Plan
A2A_API_KEYset, unauthenticated POST returns 401A2A_API_KEYset, authenticated POST with correct Bearer token succeedsA2A_API_KEY, all routes work as before (dev mode)Security Note
Severity: High. Fail-open auth on all mutating endpoints allows unauthenticated task execution, agent hijacking, and subprocess spawning.