Summary
The Admin API running on port 9001 has no authentication mechanism. It relies entirely on network isolation (not being exposed externally) for security.
Affected Files
api/admin.py - entire file has no auth checkscli/vlog - connects to admin API without credentials
Current Behavior
- Anyone who can reach port 9001 can:
- Upload arbitrary videos
- Delete any video
- Create/delete categories
- View all analytics data
Risk
If the admin port is accidentally exposed (misconfigured firewall, reverse proxy, etc.), the system is completely compromised.
Recommended Fix
Implement at minimum:
- API Key authentication - Simple bearer token in Authorization header
- Basic Auth - Username/password for the admin endpoints
- Session-based auth - For the admin web UI
Consider using FastAPI's security utilities:
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
security = HTTPBearer()
@app.post("/api/videos")
async def upload_video(credentials: HTTPAuthorizationCredentials = Depends(security)):
if credentials.credentials != os.environ.get("ADMIN_API_KEY"):
raise HTTPException(status_code=401, detail="Invalid API key")
Summary
The Admin API running on port 9001 has no authentication mechanism. It relies entirely on network isolation (not being exposed externally) for security.
Affected Files
api/admin.py- entire file has no auth checkscli/vlog- connects to admin API without credentialsCurrent Behavior
Risk
If the admin port is accidentally exposed (misconfigured firewall, reverse proxy, etc.), the system is completely compromised.
Recommended Fix
Implement at minimum:
Consider using FastAPI's security utilities: