Skip to content

Security: Plaintext HTTP bearer auth detection exists but not enforced #419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
tuanaiseo wants to merge 1 commit into from
Closed

Security: Plaintext HTTP bearer auth detection exists but not enforced #419

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions integrations/pi/security.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,3 +33,5 @@ export function createPlaintextBearerAuthGuard(
}
};
}

export const guardPlaintextBearerAuth = createPlaintextBearerAuthGuard();
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify that the exported guard is actually wired into startup/runtime paths.

set -euo pipefail

echo "== Definition =="
rg -n -C2 'export const guardPlaintextBearerAuth|createPlaintextBearerAuthGuard\s*\(' --type=ts

echo
echo "== Usages of guardPlaintextBearerAuth (excluding its definition) =="
rg -n -C3 '\bguardPlaintextBearerAuth\s*\(' --type=ts

echo
echo "== Any direct guard factory usage in server/bootstrap code =="
rg -n -C3 'createPlaintextBearerAuthGuard\s*\(' --type=ts

echo
echo "== Heuristic check in likely REST/bootstrap files for invocation =="
rg -n -C3 'AGENTMEMORY_REQUIRE_HTTPS|baseUrl|secret|listen\(|createServer|express\(|fastify\(' --type=ts

Repository: rohitg00/agentmemory

Length of output: 50377

🏁 Script executed:

rg -n 'from.*security|import.*guardPlaintextBearerAuth' --type=ts | head -20

Repository: rohitg00/agentmemory

Length of output: 1581

🏁 Script executed:

rg -n 'import.*guardPlaintextBearerAuth|from.*security' --type=ts -A 2 | grep -v benchmark

Repository: rohitg00/agentmemory

Length of output: 555

🏁 Script executed:

rg -n 'security\.guardPlaintextBearerAuth|from.*security.*guardPlaintextBearerAuth' --type=ts

Repository: rohitg00/agentmemory

Length of output: 46

🏁 Script executed:

rg -n 'export.*guardPlaintextBearerAuth' --type=ts

Repository: rohitg00/agentmemory

Length of output: 169

🏁 Script executed:

rg -n 'agentmemoryExtension\|export default function' integrations/pi/index.ts -A 10 | head -30

Repository: rohitg00/agentmemory

Length of output: 46

🏁 Script executed:

sed -n '115,125p' integrations/pi/index.ts

Repository: rohitg00/agentmemory

Length of output: 486

🏁 Script executed:

sed -n '90,105p' integrations/pi/index.ts

Repository: rohitg00/agentmemory

Length of output: 687

The exported guard from security.ts is unused; actual enforcement uses a local instance in index.ts.

The export at line 37 serves no purpose — integrations/pi/index.ts defines its own instance (line 33) and invokes it at extension startup (lines 117–120 when AGENTMEMORY_REQUIRE_HTTPS === "1") and on every API request (line 98). Remove the redundant export or document why it exists.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@integrations/pi/security.ts` at line 37, The exported constant
guardPlaintextBearerAuth created via createPlaintextBearerAuthGuard() is
redundant because a separate local instance is created and used in index.ts;
remove the export (delete the export line and keep no global exported guard) or,
if you intend it to be shared, replace the local instance in index.ts to import
this exported symbol instead—update references to use guardPlaintextBearerAuth
or remove the global export so only the local instance (the one in index.ts)
enforces the guard.