Description
In api/index.py, the verify_token function allows authentication bypass when SECRET_TOKEN is not configured:
SECRET_TOKEN = os.getenv('SECRET_TOKEN')
def verify_token(token):
if token is not None and token.startswith("Bearer "):
token = token[len("Bearer "):]
return token == SECRET_TOKEN or (token is None and SECRET_TOKEN is None)When SECRET_TOKEN env var is missing, both token (no Authorization header) and SECRET_TOKEN are None, so verify_token returns True — silently disabling authentication.
Impact
Any unauthenticated request to protected endpoints succeeds when the server is started without SECRET_TOKEN set.
Suggested Fix
The server should either:
- Refuse to start if
SECRET_TOKEN is not configured, or
- Deny all requests when the secret is missing (fail-closed).
SECRET_TOKEN = os.getenv('SECRET_TOKEN')
if SECRET_TOKEN is None:
raise RuntimeError('SECRET_TOKEN environment variable must be set')Context
Found during code review of PR #522.
Description
In
api/index.py, theverify_tokenfunction allows authentication bypass whenSECRET_TOKENis not configured:When
SECRET_TOKENenv var is missing, bothtoken(no Authorization header) andSECRET_TOKENareNone, soverify_tokenreturnsTrue— silently disabling authentication.Impact
Any unauthenticated request to protected endpoints succeeds when the server is started without
SECRET_TOKENset.Suggested Fix
The server should either:
SECRET_TOKENis not configured, orContext
Found during code review of PR #522.