mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-06-05 07:41:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

feat(dashboard): add should_require_auth predicate for OAuth gate

Browse source 
Phase 0, Task 0.2. Single source of truth for 'is the auth gate active?'.
Reuses the existing _LOOPBACK_HOST_VALUES frozenset so this stays in sync
with the DNS-rebinding host-header check. RFC1918/CGNAT/link-local are
treated as public — exact threat model the gate exists for.
This commit is contained in:
Ben 2026-05-21 15:01:54 +10:00 committed by Teknium
parent f2b479e7a2
commit 8773bbf186
2 changed files with 38 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

16
hermes_cli/web_server.py
View file

@ -160,6 +160,22 @@ _LOOPBACK_HOST_VALUES: frozenset = frozenset({
})
def should_require_auth(host: str, allow_public: bool) -> bool:
"""Return True iff the dashboard OAuth auth gate must be active.
Truth table:
host == loopback False (no auth)
host != loopback AND allow_public (--insecure) False (legacy escape hatch)
host != loopback AND NOT allow_public True (gate engages)
"Loopback" matches the same set used by ``--insecure`` enforcement in
``start_server``: 127.0.0.1, localhost, ::1. RFC1918 / CGNAT / link-local
are deliberately treated as PUBLIC a hostile device on the same LAN is
exactly the threat model the gate is designed for.
"""
return (host not in _LOOPBACK_HOST_VALUES) and (not allow_public)
def _is_accepted_host(host_header: str, bound_host: str) -> bool:
"""True if the Host header targets the interface we bound to.