Summary
The auth middleware is gated on if _state.API_TOKEN and ..., so an empty token disables authentication for every endpoint (including DELETE /games/{id}/prefix, PUT /system/power-profile, /open-uri).
Location
src/game_setup_hub/api/_app.py:23-34, token at _state.py:22.
Evidence
if _state.API_TOKEN and request.url.path not in _state.AUTH_EXEMPT_PATHS: # falsy token => no auth
Failure scenario
cli() always mints a token, so Electron is safe. But importing the ASGI app directly (uvicorn game_setup_hub.api._app:app, a reload runner, or a test harness) serves the full destructive API unauthenticated - any local process or browser tab can hit it.
Fix
Fail closed: require a token, or refuse to start without one.
Summary
The auth middleware is gated on
if _state.API_TOKEN and ..., so an empty token disables authentication for every endpoint (includingDELETE /games/{id}/prefix,PUT /system/power-profile,/open-uri).Location
src/game_setup_hub/api/_app.py:23-34, token at_state.py:22.Evidence
Failure scenario
cli()always mints a token, so Electron is safe. But importing the ASGI app directly (uvicorn game_setup_hub.api._app:app, a reload runner, or a test harness) serves the full destructive API unauthenticated - any local process or browser tab can hit it.Fix
Fail closed: require a token, or refuse to start without one.