imbajin commented on code in PR #336:
URL:
https://github.com/apache/incubator-hugegraph-computer/pull/336#discussion_r2422717301
##########
vermeer/apps/master/master_main.go:
##########
@@ -56,6 +56,7 @@ func Main() {
services.SetUI(sen)
logrus.Info("token-auth was activated")
default:
+ services.SetAdminRouters(sen, auth.NoneAuthFilter)
Review Comment:
**Admin routes exposed without authentication**
Setting admin routes with `NoneAuthFilter` in the default case is a critical
security issue. Admin functionality should never be exposed without
authentication.
**Suggested fix:**
```go
default:
// DO NOT expose admin routes without authentication
// services.SetAdminRouters(sen, auth.NoneAuthFilter) // REMOVED
services.SetRouters(sen, auth.NoneAuthFilter)
logrus.Warn("No authentication was activated. ADMIN ROUTES DISABLED for
security.")
logrus.Warn("Please configure proper authentication to enable admin
functionality.")
}
```
If admin routes must be available for development:
1. Add a separate dev-mode flag
2. Log prominent warnings
3. Bind only to localhost
4. Document security implications clearly
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
