Skip to content

[pull] main from areal-project:main#71

Merged
pull[bot] merged 1 commit into
axistore80-coder:mainfrom
areal-project:main
May 11, 2026
Merged

[pull] main from areal-project:main#71
pull[bot] merged 1 commit into
axistore80-coder:mainfrom
areal-project:main

Conversation

@pull
Copy link
Copy Markdown

@pull pull Bot commented May 11, 2026
edited
Loading

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

@sebastiondev
fix(proxy): refuse default admin API key on non-loopback bind (#1323)
19fec3b 
* fix(proxy): refuse default admin key on non-loopback bind

The proxy rollout server previously accepted the well-known
DEFAULT_ADMIN_API_KEY ('areal-admin-key') and only logged a warning,
even when bound to a non-loopback interface (--host defaults to
0.0.0.0, which is then resolved to the host's IP). Any attacker
reachable on the network could authenticate to admin endpoints
(grant_capacity, start_session, export_trajectories) using this
public default value.

_setup_openai_client now raises RuntimeError when the resolved
server host is not a loopback address and the configured admin key
is still the documented default. Local single-host development is
unaffected; operators who knowingly accept the risk in a trusted
environment can set AREAL_ALLOW_DEFAULT_ADMIN_KEY=1.

* address review: validate admin key before global assign; bind uvicorn to configured host
@pull pull Bot locked and limited conversation to collaborators May 11, 2026
@pull pull Bot added the ⤵️ pull label May 11, 2026
@pull pull Bot merged commit 19fec3b into axistore80-coder:main May 11, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

⤵️ pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sebastiondev