Skip to content

docs(api): mark SystemFeatureApi as unauthenticated by design #31417

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
QuantumGhost merged 1 commit into from
Jan 22, 2026
Merged

docs(api): mark SystemFeatureApi as unauthenticated by design #31417

QuantumGhost merged 1 commit into from
Jan 22, 2026

Conversation

@QuantumGhost
Copy link
Collaborator

@QuantumGhost QuantumGhost commented Jan 22, 2026
edited
Loading

The /console/api/system-features is required for the dashboard initialization. Authentication would create circular dependency (can't login without dashboard loading).

ref: CVE-2025-63387

Related: #31368

Screenshots

N/A

Checklist

  • This change requires a documentation update, included: Dify Document
  • I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)
  • I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
  • I've updated the documentation accordingly.
  • I ran make lint and make type-check (backend) and cd web && npx lint-staged (frontend) to appease the lint gods

@QuantumGhost QuantumGhost marked this pull request as ready for review January 22, 2026 14:19
@dosubot dosubot bot added size:S This PR changes 10-29 lines, ignoring generated files. 📚 documentation Improvements or additions to documentation labels Jan 22, 2026
@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Jan 22, 2026
@QuantumGhost
docs(api): mark SystemFeatureApi as unauthenticated by design
6beb112 
The `/console/api/system-features` is required for the dashboard
initialization. Authentication would create circular dependency
(can't login without dashboard loading).

ref CVE-2025-63387.
@QuantumGhost QuantumGhost force-pushed the chore/mark-system-feature-unauthenticated-by-design branch from d3645a1 to 6beb112 Compare January 22, 2026 14:27
@QuantumGhost QuantumGhost merged commit 61f8647 into langgenius:main Jan 22, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fatelei fatelei fatelei approved these changes

@lyzno1 lyzno1 lyzno1 approved these changes

@GarfieldDai GarfieldDai Awaiting requested review from GarfieldDai GarfieldDai is a code owner

@GareArc GareArc Awaiting requested review from GareArc GareArc is a code owner

Assignees

No one assigned

Labels

📚 documentation Improvements or additions to documentation lgtm This PR has been approved by a maintainer size:S This PR changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@QuantumGhost @fatelei @lyzno1