mirrors/hermes-agent
1
0
Fork 0
mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-18 04:41:56 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

fix(security): require dashboard auth for plugin API routes

Browse source 
Remove the blanket /api/plugins/* exemption from auth_middleware so
plugin API routes (e.g. Kanban dashboard) require the same session
token as all other /api/ endpoints.

Fixes #19533
This commit is contained in:
liuhao1024 2026-05-04 14:02:04 +08:00 committed by Teknium
parent 7312f7f849
commit ec9329ec41
2 changed files with 44 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hermes_cli/web_server.py
View file

@ -225,7 +225,7 @@ async def host_header_middleware(request: Request, call_next):
async def auth_middleware(request: Request, call_next):
"""Require the session token on all /api/ routes except the public list."""
path = request.url.path
if path.startswith("/api/") and path not in _PUBLIC_API_PATHS and not path.startswith("/api/plugins/"):
if path.startswith("/api/") and path not in _PUBLIC_API_PATHS:
if not _has_valid_session_token(request):
return JSONResponse(
status_code=401,