Skip to content

Security: API key accepted from request body (ai_token) can leak via logs and intermediaries #1130

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tuanaiseo wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Security: API key accepted from request body (ai_token) can leak via logs and intermediaries #1130

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 2 additions & 8 deletions acestep/api/http/auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ def set_api_key(key: Optional[str]) -> None:
def verify_token_from_request(
body: dict[str, Any], authorization: Optional[str] = None
) -> Optional[str]:
"""Validate request auth from body ``ai_token`` or Authorization header.
"""Validate request auth from Authorization header.

Args:
body: Parsed request payload dictionary.
Expand All @@ -39,19 +39,13 @@ def verify_token_from_request(
if _api_key is None:
return None

ai_token = body.get("ai_token") if body else None
if ai_token:
if ai_token == _api_key:
return ai_token
raise HTTPException(status_code=401, detail="Invalid ai_token")

if authorization:
token = authorization[7:] if authorization.startswith("Bearer ") else authorization
if token == _api_key:
return token
raise HTTPException(status_code=401, detail="Invalid API key")
Comment on lines 42 to 46
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Enforce Bearer if header-only auth is meant to be Bearer-only.

Line 43 still accepts Authorization: <raw-api-key> without the Bearer scheme. If the intended contract is exclusively Authorization: Bearer <token>, reject non-Bearer headers here and mirror the same behavior in verify_api_key.

Proposed Bearer-only parsing 
     if authorization:
-        token = authorization[7:] if authorization.startswith("Bearer ") else authorization
+        if not authorization.startswith("Bearer "):
+            raise HTTPException(status_code=401, detail="Invalid Authorization header")
+        token = authorization.removeprefix("Bearer ")
         if token == _api_key:
             return token
         raise HTTPException(status_code=401, detail="Invalid API key")
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@acestep/api/http/auth.py` around lines 42 - 46, The current Authorization
parsing accepts raw API keys without the Bearer scheme; change the logic in the
block that reads the `authorization` header (variable `authorization`,
extraction into `token`, and comparison with `_api_key`) to reject any header
that does not start with "Bearer " by raising HTTPException(401) rather than
stripping non-Bearer values, and update the related `verify_api_key` function to
use the same Bearer-only check so only `Authorization: Bearer <token>` is
accepted.


raise HTTPException(status_code=401, detail="Missing ai_token or Authorization header")
raise HTTPException(status_code=401, detail="Missing Authorization header")


async def verify_api_key(authorization: Optional[str] = Header(None)) -> None:
Expand Down