Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion tools/server/server-http.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -151,11 +151,22 @@ bool server_http_context::init(const common_params & params) {
return true;
}

// If path is public or is static file, skip validation
// If path is public, skip validation
if (public_endpoints.find(req.path) != public_endpoints.end() || req.path == "/") {
return true;
}

// Skip validation for web UI static assets (they don't require API key)
{
static const std::unordered_set<std::string> static_assets = {
"/bundle.js", "/bundle.css", "/index.html",
Comment thread
allozaur marked this conversation as resolved.
Outdated
};

if (static_assets.find(req.path) != static_assets.end()) {
return true;
}
}

// Check for API key in the Authorization header
std::string req_api_key = req.get_header_value("Authorization");
if (req_api_key.empty()) {
Expand Down
10 changes: 10 additions & 0 deletions tools/server/tests/unit/test_security.py
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,16 @@ def test_access_public_endpoint(endpoint: str):
assert "error" not in res.body


@pytest.mark.parametrize("endpoint", ["/", "/bundle.js", "/bundle.css"])
def test_access_static_assets_without_api_key(endpoint: str):
"""Static web UI assets should not require API key authentication (issue #21229)"""
global server
server.start()
res = server.make_request("GET", endpoint)
assert res.status_code == 200
assert "error" not in res.body
Comment thread
allozaur marked this conversation as resolved.
Outdated


@pytest.mark.parametrize("api_key", [None, "invalid-key"])
def test_incorrect_api_key(api_key: str):
global server
Expand Down
Loading