Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(backend): Avoid falling back to default user unless ENABLED_AUTH is set to False #8691

Merged
merged 4 commits into from
Nov 18, 2024

Conversation

majdyz
Copy link
Contributor

@majdyz majdyz commented Nov 18, 2024

https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/autogpt_libs/autogpt_libs/auth/depends.py#L18-L20

This code falls back to the default admin user when the payload is empty, which definite is not intentional.

Changes 🏗️

Refactor DEFAULT_USER_ID fallback logic into a single location, and add config check for fallback.

Checklist 📋

For code changes:

  • I have clearly listed my changes in the PR description
  • I have made a test plan
  • I have tested my changes according to the test plan:
    • ...
Example test plan
  • Create from scratch and execute an agent with at least 3 blocks
  • Import an agent from file upload, and confirm it executes correctly
  • Upload agent to marketplace
  • Import an agent from marketplace and confirm it executes correctly
  • Edit an agent from monitor, and confirm it executes correctly

For configuration changes:

  • .env.example is updated or already compatible with my changes
  • docker-compose.yml is updated or already compatible with my changes
  • I have included a list of my configuration changes in the PR description (under Changes)
Examples of configuration changes
  • Changing ports
  • Adding new services that need to communicate with each other
  • Secrets or environment variable changes
  • New or infrastructure changes such as databases

@majdyz majdyz requested a review from a team as a code owner November 18, 2024 12:25
@github-actions github-actions bot added the platform/backend AutoGPT Platform - Back end label Nov 18, 2024
Copy link

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
🧪 No relevant tests
🔒 Security concerns

Authentication bypass:
The code changes modify authentication logic to check ENABLE_AUTH flag before falling back to default admin user. While this improves security, verify that ENABLE_AUTH cannot be accidentally disabled through configuration or environment variables, as this would grant admin access to unauthenticated users.

⚡ Recommended focus areas for review

Auth Logic
Verify that the new authentication logic with ENABLE_AUTH check properly handles all edge cases and doesn't accidentally allow unauthorized access

Error Handling
The error handling for websocket authentication could be improved by adding logging of failed authentication attempts

Copy link

netlify bot commented Nov 18, 2024

Deploy Preview for auto-gpt-docs ready!

Name Link
🔨 Latest commit ddeff7c
🔍 Latest deploy log https://app.netlify.com/sites/auto-gpt-docs/deploys/673b32463ee8f000083906b5
😎 Deploy Preview https://deploy-preview-8691--auto-gpt-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

Copy link

netlify bot commented Nov 18, 2024

Deploy Preview for auto-gpt-docs canceled.

Name Link
🔨 Latest commit ac01394
🔍 Latest deploy log https://app.netlify.com/sites/auto-gpt-docs/deploys/673b39b6fe9fb4000845a896

@Torantulino Torantulino enabled auto-merge (squash) November 18, 2024 12:57
@Torantulino Torantulino merged commit f36d95a into dev Nov 18, 2024
15 checks passed
@Torantulino Torantulino deleted the zamilmajdy/fix-auth-depends branch November 18, 2024 13:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants