Skip to content

API auth fails open when PROTONSHIFT_API_TOKEN is empty #38

Description

@I4cTime

Summary

The auth middleware is gated on if _state.API_TOKEN and ..., so an empty token disables authentication for every endpoint (including DELETE /games/{id}/prefix, PUT /system/power-profile, /open-uri).

Location

src/game_setup_hub/api/_app.py:23-34, token at _state.py:22.

Evidence

if _state.API_TOKEN and request.url.path not in _state.AUTH_EXEMPT_PATHS:  # falsy token => no auth

Failure scenario

cli() always mints a token, so Electron is safe. But importing the ASGI app directly (uvicorn game_setup_hub.api._app:app, a reload runner, or a test harness) serves the full destructive API unauthenticated - any local process or browser tab can hit it.

Fix

Fail closed: require a token, or refuse to start without one.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: backendPython backend / APIbugSomething isn't workingsecuritySecurity hardening or vulnerabilityseverity: mediumMedium severity

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions