Security: Authentication is fail-open when API key is unset

[tuanaiseo]

Problem

Both verify_token_from_request and verify_api_key return success when _api_key is None. If deployment/configuration accidentally omits setting the key, all protected endpoints become publicly accessible without authentication.

Severity: medium
File: acestep/api/http/auth.py

Solution

Adopt fail-closed behavior by default: require explicit configuration to disable auth (e.g., ALLOW_UNAUTHENTICATED=false by default), and log a high-severity startup warning/error when auth is disabled.

Changes

• acestep/api/http/auth.py (modified)

Testing

• Existing tests pass
• Manual review completed
• No new warnings/errors introduced

Summary by CodeRabbit

• Bug Fixes
  • Improved API key validation error handling. When the API key is not configured, the system now returns a proper error response instead of proceeding with incomplete authentication, making configuration issues easier to diagnose.

[coderabbitai]

📝 Walkthrough

Walkthrough

Token and API key verification functions in the auth module now raise an HTTP 503 error when the API key is not configured, rather than treating an unset key as disabled authentication. Docstrings were updated to reflect this behavior change.

Changes

Cohort / File(s)	Summary
Auth Error Handling acestep/api/http/auth.py	Modified verify_token_from_request and verify_api_key to raise HTTPException (status 503) when _api_key is None instead of treating it as disabled auth. Updated docstrings to reflect "Validated token value" behavior rather than returning None on disabled auth.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A key misconfigured causes quite a fuss,
No more silent returns, now we raise a ruckus!
Five-oh-three it cries, loud and clear,
The API demands its credentials dear.
Better errors make debugging sweet,
Our auth now keeps the system fleet! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the security issue: changing authentication from fail-open (returns success when API key is unset) to fail-closed (raises error when API key is unset).
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@acestep/api/http/auth.py`:
- Around line 39-40: The current HTTP module unconditionally raises
HTTPException when _api_key is None; change this to respect an opt-out flag by
adding and reading a boolean ALLOW_UNAUTHENTICATED (set via set_api_key), emit a
startup logger.warning/error in set_api_key when auth is unset, and only raise
HTTPException(503) inside verify_token_from_request and verify_api_key when
_api_key is None AND ALLOW_UNAUTHENTICATED is False; update tests to set
ALLOW_UNAUTHENTICATED=True for the "auth disabled" path and ensure behavior
matches the gradio path (verify_token_from_request) so both fail-open or
fail-closed are aligned.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a6a78085-6a7d-45f5-afbb-5a033897d43d

📥 Commits

Reviewing files that changed from the base of the PR and between 1d9d2d3 and c56a2fa.

📒 Files selected for processing (1)

• acestep/api/http/auth.py

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Confirm the broken test and any other call sites relying on the old "None == disabled" contract.
rg -nP -C2 '\bverify_(token_from_request|api_key)\b'
rg -nP -C2 '\bset_api_key\b'
rg -nP 'ALLOW_UNAUTHENTICATED'

Repository: ace-step/ACE-Step-1.5

Length of output: 50377

---

🏁 Script executed:

#!/bin/bash
# Check the actual auth.py implementation
cat acestep/api/http/auth.py

Repository: ace-step/ACE-Step-1.5

Length of output: 2376

---

🏁 Script executed:

#!/bin/bash
# Check if auth_test.py exists and what tests it contains
find . -name "*auth*test*.py" -type f | head -10

Repository: ace-step/ACE-Step-1.5

Length of output: 96

---

🏁 Script executed:

#!/bin/bash
# Search for ALLOW_UNAUTHENTICATED in entire codebase with extended context
find . -type f -name "*.py" -exec grep -l "ALLOW_UNAUTHENTICATED" {} \;

Repository: ace-step/ACE-Step-1.5

Length of output: 47

---

🏁 Script executed:

#!/bin/bash
# Read the auth_test.py file
cat acestep/api/http/auth_test.py

Repository: ace-step/ACE-Step-1.5

Length of output: 3347

---

🏁 Script executed:

#!/bin/bash
# Verify api_server.py calls set_api_key to understand deployment impact
rg -A5 "set_api_key" acestep/api_server.py

Repository: ace-step/ACE-Step-1.5

Length of output: 507

---

🏁 Script executed:

#!/bin/bash
# Check gradio api_routes for the duplicate verification logic mentioned
rg -B2 -A10 "def verify_token_from_request" acestep/ui/gradio/api/api_routes.py

Repository: ace-step/ACE-Step-1.5

Length of output: 485

---

Implementation diverges from PR objectives: missing opt-out mechanism and startup warning; breaks existing tests.

The PR description specifies fail-closed by default with an explicit ALLOW_UNAUTHENTICATED escape hatch plus a high-severity startup log when auth is disabled. The current implementation instead unconditionally raises HTTP 503 when _api_key is None, which breaks the codebase in three ways:

1. Existing test fails. acestep/api/http/auth_test.py::test_verify_token_returns_none_when_auth_is_disabled calls verify_token_from_request(body={}, authorization=None) and expects None, but lines 39–40 now raise HTTPException(503). The test also calls verify_api_key(authorization=None) expecting success, but line 68 raises 503.

2. Breaks unauthenticated deployments. acestep/api_server.py reads ACESTEP_API_KEY via os.getenv("ACESTEP_API_KEY", None) and passes it to set_api_key. Any deployment without the env var (local dev, the gradio path in acestep/ui/gradio/api/api_routes.py) now 503s on every protected route with no migration path.

3. Missing startup logging. There is no logger.warning or logger.error emitted at configuration time (in set_api_key) to surface the insecure state.

Also note: acestep/ui/gradio/api/api_routes.py::verify_token_from_request still silently returns None on unset key (fail-open), while the HTTP module version raises 503 (fail-closed). Either align them or clarify intent (is gradio intentionally left fail-open, or is that a bug?).

Suggested fix: Gate the 503 response on an ALLOW_UNAUTHENTICATED flag read in set_api_key, emit a startup warning/error log if auth is unset, and update tests to set the flag when testing the "disabled auth" path.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@acestep/api/http/auth.py` around lines 39 - 40, The current HTTP module
unconditionally raises HTTPException when _api_key is None; change this to
respect an opt-out flag by adding and reading a boolean ALLOW_UNAUTHENTICATED
(set via set_api_key), emit a startup logger.warning/error in set_api_key when
auth is unset, and only raise HTTPException(503) inside
verify_token_from_request and verify_api_key when _api_key is None AND
ALLOW_UNAUTHENTICATED is False; update tests to set ALLOW_UNAUTHENTICATED=True
for the "auth disabled" path and ensure behavior matches the gradio path
(verify_token_from_request) so both fail-open or fail-closed are aligned.