fix(control-plane): fail-closed admin auth + startup warning for empty API key (closes #424, #425)#443
Conversation
…gent-Field#425) fix(control-plane): add startup error when API key is empty (closes Agent-Field#424) Issue Agent-Field#424: APIKeyAuth middleware silently passes all requests when AGENTFIELD_API_AUTH_APIKEY is unset — no log line indicates auth is off. Added startup ERROR log in server.go when API key is empty. Issue Agent-Field#425: AdminTokenAuth middleware is a no-op when adminToken is empty, causing admin routes to fall back to ordinary API-key auth or no auth at all. Changed to fail-closed: returns HTTP 500 with a clear configuration_error message directing operators to set AGENTFIELD_AUTHORIZATION_ADMIN_TOKEN. Fixes Agent-Field#424, Agent-Field#425
|
由伟 seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
|
Thanks for putting this together. There are two things to address before this can move forward: first, the CLA assistant check above, including linking the commit author email to your GitHub account; and second, the code changes requested in the review below. Please sort out the CLA/email mismatch, rerun the check, and then take a look at the requested-changes review for the auth changes still needed. |
santoshkumarradha
left a comment
santoshkumarradha
left a comment
There was a problem hiding this comment.
Thanks for working on these security issues. I am requesting changes before this can move forward. The admin-token change is directionally helpful, but the API-key issue is still not actually fixed: the middleware still allows every request through when the API key is empty, so the server can still run with HTTP auth effectively disabled. For #424, we need an explicit fail-fast or guarded insecure-mode behavior rather than only a startup log. Please update this so the empty-API-key case is closed in behavior, not just documented in logs.
3 participants
Summary
Two security fixes for the AgentField control-plane authentication middleware:
Fix #424 — Empty API key silently disables auth
Before: APIKeyAuth middleware called c.Next() with no log when AGENTFIELD_API_AUTH_APIKEY was unset. Operators had no indication that authentication was disabled.
After: server.go now emits an ERROR log at startup:
Fix #425 — Empty admin token silently bypasses admin protection
Before: AdminTokenAuth middleware called c.Next() when adminToken == "", causing admin-only routes (tag approval, policy management) to fall back to ordinary API-key auth or no auth at all.
After: AdminTokenAuth now returns HTTP 500 with a clear configuration_error message directing operators to set AGENTFIELD_AUTHORIZATION_ADMIN_TOKEN. Admin routes are now fail-closed when the token is unset.
Changes
Payment: EVM 0x6FCBd5d14FB296933A4f5a515933B153bA24370E