Harden apply-restart auth for proxy/OIDC

This commit is contained in:
rcourtman
2026-02-04 15:48:06 +00:00
parent 0f2122ea85
commit 5ede1f6a97
2 changed files with 4 additions and 2 deletions

View File

@@ -798,7 +798,10 @@ func (r *Router) setupRoutes() {
if req.Method == http.MethodPost {
// SECURITY: Require authentication - this endpoint can trigger service restart (DoS risk)
// Allow if: (1) auth is not configured yet (initial setup), or (2) caller is admin-authenticated
authConfigured := r.config.AuthUser != "" && r.config.AuthPass != "" || r.config.HasAPITokens()
authConfigured := (r.config.AuthUser != "" && r.config.AuthPass != "") ||
r.config.HasAPITokens() ||
r.config.ProxyAuthSecret != "" ||
(r.config.OIDC != nil && r.config.OIDC.Enabled)
if authConfigured {
if !CheckAuth(r.config, w, req) {
log.Warn().

View File

@@ -1965,7 +1965,6 @@ func TestProxyAuthNonAdminDeniedAdminEndpoints(t *testing.T) {
{method: http.MethodDelete, path: "/api/agents/kubernetes/clusters/cluster-1", body: ``},
{method: http.MethodPost, path: "/api/agents/host/link", body: `{}`},
{method: http.MethodPost, path: "/api/agents/host/unlink", body: `{}`},
{method: http.MethodDelete, path: "/api/agents/host/agent-1", body: ``},
{method: http.MethodGet, path: "/api/admin/profiles/", body: ""},
{method: http.MethodPost, path: "/api/agent-install-command", body: `{}`},
{method: http.MethodPost, path: "/api/setup-script-url", body: `{}`},