fix(security): correct auth bypass negation for localhost binding (#1080)#1301
Closed
OneStepAt4time wants to merge 1 commit intodevelopfrom
Closed
fix(security): correct auth bypass negation for localhost binding (#1080)#1301OneStepAt4time wants to merge 1 commit intodevelopfrom
OneStepAt4time wants to merge 1 commit intodevelopfrom
Conversation
) The auth middleware at src/server.ts:370 had an inverted negation: - BEFORE: if (!authEnabled && !isLocalhostBinding) return; (wrong) - AFTER: if (!authEnabled && isLocalhostBinding) return; (correct) The previous logic skipped auth only when binding to a non-localhost interface with no auth configured β the exact opposite of the intent. This caused the smoke test and all unauthenticated localhost requests to be rejected with 401 after the #1080 auth guard was merged. Refs: #1080, #1289
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
After #1289 merged, the smoke test and all unauthenticated localhost requests return 401.
Root Cause
Negation bug in
src/server.ts:370:The logic was inverted β it skipped auth only for non-localhost bindings with no auth, instead of localhost bindings with no auth.
Fix
One-line negation fix. Verified locally: smoke test passes,
/v1/sessionsreturns 200.Verification
npm run test:smokeβ exits 0 βnpm run buildβ compiles clean βRefs: #1080, #1289, #1299 (closed β wrong fix)