mirror of
https://github.com/pewdiepie-archdaemon/odysseus.git
synced 2026-06-16 01:35:36 -04:00
fix(security): fail closed in /api/models auth gate on unexpected errors (#3489)
GET /api/models swallowed any non-HTTPException raised while checking whether the caller is authenticated (bare except Exception: pass), so a broken auth_manager or an exception from get_current_user silently granted the full model list to an anonymous caller instead of rejecting the request. Now any unexpected exception logs and returns HTTP 500. Split out of #2360 per reviewer request to keep the deny-list and the auth-gate fix as separate, single-purpose PRs. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Giuseppe Castelluccio
committed by
GitHub
GitHub
parent
34a3f8637a
commit
095c74b985
@@ -1232,8 +1232,9 @@ def setup_model_routes(model_discovery):
|
||||
raise HTTPException(401, "Not authenticated")
|
||||
except HTTPException:
|
||||
raise
|
||||
except Exception:
|
||||
pass
|
||||
except Exception as e:
|
||||
logger.error('Auth gate error in GET /api/models, failing closed: %s', e)
|
||||
raise HTTPException(status_code=500, detail='Internal error')
|
||||
# Admins see every endpoint (they manage the global pool); regular
|
||||
# users get the owner-scoped view.
|
||||
_is_admin = False
|
||||
|
||||
Reference in New Issue
Block a user