Skip to content

Security: Auth bypass when SECRET_TOKEN env var is unset #566

New issue
New issue
Open
Open
Security: Auth bypass when SECRET_TOKEN env var is unset#566
Labels
bugSomething isn't working
@gkorland

Description

@gkorland
gkorland
opened on Mar 10, 2026

Description

In api/index.py, the verify_token function allows authentication bypass when SECRET_TOKEN is not configured:

SECRET_TOKEN = os.getenv('SECRET_TOKEN')
def verify_token(token):
    if token is not None and token.startswith("Bearer "):
        token = token[len("Bearer "):]
    return token == SECRET_TOKEN or (token is None and SECRET_TOKEN is None)

When SECRET_TOKEN env var is missing, both token (no Authorization header) and SECRET_TOKEN are None, so verify_token returns True — silently disabling authentication.

Impact

Any unauthenticated request to protected endpoints succeeds when the server is started without SECRET_TOKEN set.

Suggested Fix

The server should either:

  1. Refuse to start if SECRET_TOKEN is not configured, or
  2. Deny all requests when the secret is missing (fail-closed).
SECRET_TOKEN = os.getenv('SECRET_TOKEN')
if SECRET_TOKEN is None:
    raise RuntimeError('SECRET_TOKEN environment variable must be set')

Context

Found during code review of PR #522.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions