From 5ede1f6a973f87eea63d5b57dbbb0814b1e7557f Mon Sep 17 00:00:00 2001 From: rcourtman Date: Wed, 4 Feb 2026 15:48:06 +0000 Subject: [PATCH] Harden apply-restart auth for proxy/OIDC --- internal/api/router.go | 5 ++++- internal/api/security_regression_test.go | 1 - 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/internal/api/router.go b/internal/api/router.go index a104c4841..06d9f768c 100644 --- a/internal/api/router.go +++ b/internal/api/router.go @@ -798,7 +798,10 @@ func (r *Router) setupRoutes() { if req.Method == http.MethodPost { // SECURITY: Require authentication - this endpoint can trigger service restart (DoS risk) // Allow if: (1) auth is not configured yet (initial setup), or (2) caller is admin-authenticated - authConfigured := r.config.AuthUser != "" && r.config.AuthPass != "" || r.config.HasAPITokens() + authConfigured := (r.config.AuthUser != "" && r.config.AuthPass != "") || + r.config.HasAPITokens() || + r.config.ProxyAuthSecret != "" || + (r.config.OIDC != nil && r.config.OIDC.Enabled) if authConfigured { if !CheckAuth(r.config, w, req) { log.Warn(). diff --git a/internal/api/security_regression_test.go b/internal/api/security_regression_test.go index 17231400b..78e01d47f 100644 --- a/internal/api/security_regression_test.go +++ b/internal/api/security_regression_test.go @@ -1965,7 +1965,6 @@ func TestProxyAuthNonAdminDeniedAdminEndpoints(t *testing.T) { {method: http.MethodDelete, path: "/api/agents/kubernetes/clusters/cluster-1", body: ``}, {method: http.MethodPost, path: "/api/agents/host/link", body: `{}`}, {method: http.MethodPost, path: "/api/agents/host/unlink", body: `{}`}, - {method: http.MethodDelete, path: "/api/agents/host/agent-1", body: ``}, {method: http.MethodGet, path: "/api/admin/profiles/", body: ""}, {method: http.MethodPost, path: "/api/agent-install-command", body: `{}`}, {method: http.MethodPost, path: "/api/setup-script-url", body: `{}`},