Security: Dev-mode admin auth fallback disables all authentication #76

New issue

Open

opened 2026-05-11 13:48:49 +00:00 by thabeta · 0 comments

thabeta commented

2026-05-11 13:48:49 +00:00

Owner

Severity: High

Location

crates/hero_aibroker_lib/src/middleware/admin_auth.rs

Finding

When no admin token and no JWT secret are configured, the middleware defaults to allowing all requests:

pub async fn admin_auth(...) -> Result<(), StatusCode> {
    let auth = state.admin_auth.read();
    match &*auth {
        AdminAuth::Token(token) => { ... }
        AdminAuth::Jwt { secret, .. } => { ... }
        AdminAuth::None => Ok(()), // DEV MODE: open auth
    }
}

Attack Scenario

Deployment without ADMIN_TOKEN or HERO_SECRET results in zero admin auth
All admin RPC methods (billing, key management, server control) are publicly accessible
No warning or log entry when running in open mode

Recommendation

Fail-closed: reject admin requests when no auth is configured
Emit a prominent startup warning when running without admin auth
Add a config flag allow_dev_mode = true for explicit opt-in

## Severity: High ## Location `crates/hero_aibroker_lib/src/middleware/admin_auth.rs` ## Finding When no admin token and no JWT secret are configured, the middleware defaults to allowing all requests: ```rust pub async fn admin_auth(...) -> Result<(), StatusCode> { let auth = state.admin_auth.read(); match &*auth { AdminAuth::Token(token) => { ... } AdminAuth::Jwt { secret, .. } => { ... } AdminAuth::None => Ok(()), // DEV MODE: open auth } } ``` ## Attack Scenario - Deployment without `ADMIN_TOKEN` or `HERO_SECRET` results in zero admin auth - All admin RPC methods (billing, key management, server control) are publicly accessible - No warning or log entry when running in open mode ## Recommendation - Fail-closed: reject admin requests when no auth is configured - Emit a prominent startup warning when running without admin auth - Add a config flag `allow_dev_mode = true` for explicit opt-in