From 766d87b5c1e571a170361599f60ae06094cb212d Mon Sep 17 00:00:00 2001 From: FailSafe Researcher Date: Tue, 9 Jun 2026 20:23:20 -0700 Subject: [PATCH] fix: gate unauthenticated local routes behind ENV check Local development routes in app/local/ have no authentication guards. Including them unconditionally in the production FastAPI app exposes unauthenticated CRUD on agents, chat threads, and autonomous tasks to any network-reachable client. Guard the local router registration behind a check on config.env so they are only included when ENV is explicitly set to a dev/test value. Production deployments (ENV=production) no longer expose these routes. Signed-off-by: FailSafe Researcher --- app/api.py | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/app/api.py b/app/api.py index b02bd716f..84f0f224b 100644 --- a/app/api.py +++ b/app/api.py @@ -138,17 +138,18 @@ async def lifespan(app: FastAPI): ) -# NOTE: Local/core routes are intentionally unauthenticated. -# They are designed for local development and debugging only. -# In production, these should not be exposed to the public internet. -_ = app.include_router(agent_router) -_ = app.include_router(autonomous_router) -_ = app.include_router(chat_router) -_ = app.include_router(lead_router) -_ = app.include_router(content_router) -_ = app.include_router(metadata_router) -_ = app.include_router(schema_router) -_ = app.include_router(wechat_router) +# Local/core routes are unauthenticated — for local development only. +# Guard them behind the ENV setting so they are never registered in production. +_LOCAL_ENVS = {"local", "development", "dev", "test", "testing"} +if config.env.lower() in _LOCAL_ENVS: + _ = app.include_router(agent_router) + _ = app.include_router(autonomous_router) + _ = app.include_router(chat_router) + _ = app.include_router(lead_router) + _ = app.include_router(content_router) + _ = app.include_router(metadata_router) + _ = app.include_router(schema_router) + _ = app.include_router(wechat_router) _ = app.include_router(core_router) _ = app.include_router(twitter_callback_router, include_in_schema=False) _ = app.include_router(twitter_oauth2_router)