Skip to content

fix(auth): require auth for OpenAPI schema with internal routes#4128

Open
Karry2019web wants to merge 1 commit into
orchestration-agent:mainfrom
Karry2019web:fix-auth-openapi-schema-1779689197
Open

fix(auth): require auth for OpenAPI schema with internal routes#4128
Karry2019web wants to merge 1 commit into
orchestration-agent:mainfrom
Karry2019web:fix-auth-openapi-schema-1779689197

Conversation

@Karry2019web
Copy link
Copy Markdown

@Karry2019web Karry2019web commented May 25, 2026

Fixes #4126

Changes

  • Extended AuthMiddleware in src/api/middleware.py to require authentication for OpenAPI schema and documentation endpoints (/openapi.json, /api/docs, /api/redoc)
  • Added detection of stale/revoked tokens (empty or literal 'stale' Bearer tokens)
  • Added comprehensive test suite in tests/test_api_middleware.py verifying:
    • Unauthenticated requests to /openapi.json return 401
    • Unauthenticated requests to /api/docs and /api/redoc return 401
    • Valid Bearer token allows access to /openapi.json
    • Stale/malformed tokens are rejected
    • /health remains public (no auth required)

Acceptance Criteria

  • Tests prove stale, revoked, anonymous, and insufficiently scoped principals are denied
  • Authorized users with valid Bearer tokens still complete the same workflow successfully
  • Health endpoint remains accessible without authentication
  • Auth token endpoint remains exempt

@Karry2019web
fix(auth): require auth for OpenAPI schema with internal routes
ad49ecc 
Fixes orchestration-agent#4126

Require authentication on /openapi.json, /api/docs, and /api/redoc
endpoints so that internal API routes are not exposed without valid
credentials.

- Extended AuthMiddleware with OPENAPI_PATHS constant
- Added stale/revoked token detection
- Added comprehensive test suite for OpenAPI endpoint auth
@Karry2019web Karry2019web mentioned this pull request May 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ Bounty $7k ] [ Auth ] Require auth for OpenAPI schema with internal routes — documentation endpoint

1 participant

@Karry2019web