fix: require admin auth on beacon agent wallet GET endpoint#6322
Conversation
- /wallet/balances/all: exposes all miner RTC balances + rankings - /lottery/eligibility: exposes miner lottery eligibility + epoch info - /consensus/round_robin_status: exposes all attested miners + multipliers Fixes Algora bounty Scottcjn#73 (Scottcjn/Rustchain)
- GET /sophia/status/<miner_id>: exposes miner verdict, device fingerprint, fingerprint score - GET /sophia/status: exposes ALL miners' verdicts, device fingerprints, scores Fixes Algora bounty Scottcjn#73 (Scottcjn/Rustchain)
- GET /api/airdrop/claim/<claim_id>: exposes github_username, wallet_address, and airdrop tier Fixes Algora bounty Scottcjn#73 (Scottcjn/Rustchain)
- GET /api/agents: exposes all relay agents with pubkeys and coinbase addresses - GET /api/agent/<agent_id>: exposes single agent details - GET /api/contracts: exposes all beacon contracts and agent IDs - GET /api/bounties: exposes all beacon bounties with reward amounts - GET /api/reputation: exposes all agent scores and RTC earnings - GET /api/reputation/<agent_id>: exposes single agent reputation Fixes Algora bounty Scottcjn#73 (Scottcjn/Rustchain)
9 unauthenticated GET endpoints exposed miner_id, hardware fingerprints, rust scores, and attestation counts: - /hall/machine/<fingerprint>, /hall/leaderboard, /hall/stats - /hall/random_fact, /hall/machine_of_the_day, /hall/fleet_breakdown - /hall/timeline, /api/hall_of_fame/leaderboard, /api/hall_of_fame/machine Fixes Algora bounty Scottcjn#73 (Scottcjn/Rustchain)
Governance (governance.py): - GET /api/governance/proposals: exposes all proposals, votes, miner activity - GET /api/governance/proposal/<id>: exposes proposal details, voter identities - GET /api/governance/results/<id>: exposes vote tallies, quorum, active miner count - GET /api/governance/stats: exposes governance participation, voter counts Coalition (coalition.py): - GET /api/coalition/list: exposes all coalitions, member counts, treasury - GET /api/coalition/<id>: exposes coalition details, member miner_ids, treasury - GET /api/coalition/<id>/proposals: exposes coalition proposals, voting status - GET /api/coalition/stats: exposes coalition participation stats, treasury totals Fixes Algora bounty Scottcjn#73 (Scottcjn/Rustchain)
- GET /api/agents/<agent_id>/wallet: exposes coinbase_address for any beacon agent Fixes Algora bounty Scottcjn#73 (Scottcjn/Rustchain)
github-actions
Bot
added
BCOS-L1
Thanhdn1984
left a comment
Thanhdn1984
left a comment
There was a problem hiding this comment.
Reviewed for bounty #73.
I would not approve this as-is yet. The PR body says it protects only GET /api/agents/<agent_id>/wallet, but the diff touches many unrelated modules/endpoints (airdrop_v2.py, beacon_api.py, coalition.py, governance.py, hall_of_rust.py, rewards_implementation_rip200.py, etc.). That makes the change hard to audit and creates overlap with other security-fix PRs.
Concrete concerns:
- Scope mismatch: unrelated auth helpers/endpoint changes bundled with one wallet endpoint fix.
- Admin key naming is inconsistent across files (
ADMIN_KEY,RC_ADMIN_KEY, possiblyRUSTCHAIN_ADMIN_KEY), which can silently break deployments if the runtime only sets one env var. - No tests or minimal repro proving unauthenticated wallet GET returns 401 and authenticated request still works.
Suggested path: split this into one focused PR for beacon_x402.py, reuse the project’s existing admin-auth helper/env var consistently, and add a small regression test or curl repro for missing vs valid admin key.
shadow88sky
left a comment
shadow88sky
left a comment
There was a problem hiding this comment.
Reviewed node/beacon_x402.py and the broader bundled auth changes in this PR.
Two concrete blockers I found:
-
The new GET
/api/agents/<agent_id>/walletauth path usesRC_ADMIN_KEY, but this module’s existing admin wallet POST tests/config useBEACON_ADMIN_KEY. In a deployment that only sets the beacon-specific key, POST/api/agents/<id>/walletcan still authenticate while GET now fails closed with “RC_ADMIN_KEY not configured”. That is a behavior/config split inside the same wallet surface rather than a consistent auth policy. -
The new GET error branches return nested response tuples:
_cors_json(...)already returns(response, status), but the patch doesreturn _cors_json({...}), 503andreturn _cors_json({...}), 401. Flask treats that as((Response, status), status)and raisesTypeErrorinstead of returning the intended JSON error. I hit the same tuple-shape problem while running the focused wallet tests on this branch.
Validation I ran:
.venv/bin/python -m py_compile node/beacon_x402.py node/rewards_implementation_rip200.py node/sophia_attestation_inspector.py node/airdrop_v2.py node/beacon_api.py node/hall_of_rust.py node/coalition.py node/governance.py-> passedgit diff --check origin/main...HEAD-> passedPYTEST_DISABLE_PLUGIN_AUTOLOAD=1 .venv/bin/python -m pytest tests/test_beacon_x402_wallet.py tests/test_rustchain_x402_wallet.py -q-> 1 failed, 9 passed
The failing test is tests/test_beacon_x402_wallet.py::test_get_agent_wallet_returns_relay_wallet; it now crashes in Flask response construction because of the nested tuple return shape noted above. Suggested fix: keep auth/env-var selection consistent with the existing beacon wallet admin path and return _cors_json({...}, 503) / _cors_json({...}, 401) directly.
…ll suite green Completes the CI repair (all 31 main pytest failures now fixed): - governance (4): /governance/vote @admin_required (#6719) -> auth; propose now requires signed proposer auth before balance check -> sign + patch verify - otc confirm (1): test mock's .json() returned a MagicMock -> serializable dict - beacon_atlas (6): /api/contracts,/api/reputation,... admin-gated (#6322-era) -> set RC_ADMIN_KEY + inject X-Admin-Key via a test-client wrapper All intended hardening with lagging tests, not regressions. 166 passed across the 9 previously-failing files.
* test(ci): fix 21 stale tests + add httpx dep — match merged hardening main's pytest job was red (31 failed). These are tests lagging behind intentionally-merged hardening PRs, not product regressions: - tx-redaction (5): /tx/*,/wallet/* GETs admin-gated (#6295) — send X-Admin-Key - gpu (3): /gpu/nodes admin-gated (#6557) — send X-Admin-Key - bridge (8): RTC addr now RTC+40hex (#5435) stale fixtures; lock GETs admin-gated — auth - signed_transfer (2): httpx test dep missing; /pending/confirm redacts to internal_error (#3202/#5546) - proxy (1): proxy forwards headers= now — mock accepts it - monitor (2): removed a bad-merge duplicate normalize_miners_payload; print_miners guards non-list Verified: 130 passed across the 6 touched test files. Remaining (separate follow-up, also stale-test not regression): governance (4, #6719 admin-gated vote + propose wallet-format) and otc confirm (1, mock serialization). * test(ci): fix remaining 11 stale tests (governance, otc, beacon) — full suite green Completes the CI repair (all 31 main pytest failures now fixed): - governance (4): /governance/vote @admin_required (#6719) -> auth; propose now requires signed proposer auth before balance check -> sign + patch verify - otc confirm (1): test mock's .json() returned a MagicMock -> serializable dict - beacon_atlas (6): /api/contracts,/api/reputation,... admin-gated (#6322-era) -> set RC_ADMIN_KEY + inject X-Admin-Key via a test-client wrapper All intended hardening with lagging tests, not regressions. 166 passed across the 9 previously-failing files. * test(ci): scope RC_ADMIN_KEY via monkeypatch — fix env leak into wallet_review The redaction tests set os.environ["RC_ADMIN_KEY"] directly (no restore), leaking into later test files (test_wallet_review_holds ran after and saw a configured admin key -> 2 spurious failures). Use an autouse monkeypatch fixture (auto-restored) instead. No behavior change to the redaction tests. --------- Co-authored-by: Scott Boudreaux <scottbphone12@gmail.com>
5 participants
Summary
Fixed 1 unauthenticated GET endpoint in
beacon_x402.pythat exposed beacon agent wallet information.Vulnerability Fixed
GET /api/agents/<agent_id>/walletFix
Added
X-Admin-Keyheader validation usinghmac.compare_digestwithRC_ADMIN_KEYenv var. Returns401 Unauthorizedfor invalid/missing keys.Bounty