Mark account routes as internal and include in schema#12264
Mark account routes as internal and include in schema#12264RayBB merged 2 commits intointernetarchive:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Marks three FastAPI account debugging/auth test routes as “internal” and conditionally includes them in the OpenAPI schema based on a local-dev environment flag.
Changes:
- Adds a
SHOW_INTERNAL_IN_SCHEMAflag derived fromLOCAL_DEV. - Tags
/account/test.json,/account/protected.json, and/account/optional.jsonasinternal. - Hides those endpoints from the OpenAPI schema unless running in local dev.
|
|
||
| router = APIRouter() | ||
|
|
||
| SHOW_INTERNAL_IN_SCHEMA = os.getenv("LOCAL_DEV") is not None |
There was a problem hiding this comment.
SHOW_INTERNAL_IN_SCHEMA = os.getenv("LOCAL_DEV") is not None treats LOCAL_DEV=false (or any non-empty value) as enabled, which diverges from the rest of the FastAPI app where LOCAL_DEV is parsed as a boolean string (e.g., openlibrary/asgi_app.py:164 checks == "true"). This can unintentionally expose internal endpoints in the OpenAPI schema in environments that set LOCAL_DEV to a falsey string. Consider normalizing this to the same boolean parsing logic used elsewhere (e.g., .get(...).lower() == "true").
| SHOW_INTERNAL_IN_SCHEMA = os.getenv("LOCAL_DEV") is not None | |
| SHOW_INTERNAL_IN_SCHEMA = os.environ.get("LOCAL_DEV", "false").lower() == "true" |
|
|
||
| # TODO: Delete this before merging, it's just for local testing for now. | ||
| @router.get("/account/test.json", response_model=AuthTestResponse) | ||
| @router.get("/account/test.json", response_model=AuthTestResponse, tags=["internal"], include_in_schema=SHOW_INTERNAL_IN_SCHEMA) |
There was a problem hiding this comment.
/account/test.json returns the raw session cookie value (and parsed components) back to the client. Since the session cookie is set HttpOnly, echoing it via an API endpoint defeats that protection and makes session exfiltration easier if any same-origin XSS occurs. If this endpoint is intended only for local debugging, consider disabling the route entirely outside local dev (not just hiding it from the schema), or at minimum remove/guard the fields that expose cookie contents in non-local environments.
| @router.get("/account/test.json", response_model=AuthTestResponse, tags=["internal"], include_in_schema=SHOW_INTERNAL_IN_SCHEMA) | ||
| async def check_authentication( |
There was a problem hiding this comment.
These three internal endpoints repeat the same tags=["internal"], include_in_schema=SHOW_INTERNAL_IN_SCHEMA kwargs. To reduce duplication and keep future changes consistent, consider factoring these into a shared constant (e.g., INTERNAL_ROUTE_KWARGS = {...}) or a small helper so the configuration only lives in one place.
RayBB
left a comment
RayBB
left a comment
There was a problem hiding this comment.
Please remove the infogami changes. I know they sneak in there at weird times.
running make git would probably fix it and then you can commit that.
Other than that it looks pretty good for me!
Thanks!
github-project-automation
Bot
moved this to Waiting Review/Merge from Staff
in Ray's Project
|
Fixed |
github-project-automation
Bot
moved this from Waiting Review/Merge from Staff
to Done
in Ray's Project
Closes #
Mark 3 routes in fastapi accounts as internal
Technical
Testing
Screenshot
Stakeholders
@RayBB