fix: protect brief API routes#56
Open
ianalloway wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
/api/briefsand/api/briefs/{job_id}endpoints exposed delivered research briefs without callingverify_delivery_token, allowing remote enumeration and disclosure of customer briefs.Description
_is_local_request(request)to detect localhost/testclient callers and reuse it for authorization checks.GET /briefs/{job_id}protected byverify_delivery_token, and require either localhost or a valid token forGET /api/briefs/{job_id}by addingtokenandrequestparameters and enforcingverify_delivery_tokenfor non-local requests.GET /api/briefsenumeration to local requests only by adding arequestparameter and returning403for remote callers.GET /api/receipt/{job_id}to use the new_is_local_requesthelper for consistent localhost-or-token authorization, and add a regression testtest_api_brief_routes_require_localhost_or_delivery_tokenintests/test_server.pycovering local listing/read, remote rejection, and remote token access.Testing
python -m pytest tests/test_server.py, which executed but skipped tests because the FastAPI test client is not available in the environment (tests are guarded and skipped whenfastapi.testclientis absent).python -m compileall solvent/server.py tests/test_server.py, which succeeded without syntax errors.Codex Task