Skip to content

Fix Unauthenticated Access to Bot Proxy Endpoints (/bot/v1/chat, /bot/v1/chat/stream)#996

Open
13ernkastel wants to merge 2 commits intovolcengine:mainfrom
13ernkastel:main
Open

Fix Unauthenticated Access to Bot Proxy Endpoints (/bot/v1/chat, /bot/v1/chat/stream)#996
13ernkastel wants to merge 2 commits intovolcengine:mainfrom
13ernkastel:main

Conversation

@13ernkastel
Copy link
Contributor

@13ernkastel 13ernkastel commented Mar 26, 2026

This PR fixes a Broken Access Control issue on bot proxy endpoints by enforcing authentication before proxying requests upstream.

Previously, POST /bot/v1/chat and POST /bot/v1/chat/stream accepted unauthenticated requests because token extraction was optional and non-blocking. This change introduces explicit auth enforcement (401 on missing token) and adds regression tests for both endpoints.

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)
  • Performance improvement
  • Test update

Changes Made

  • Added require_auth_token(request) to enforce presence of API credentials for bot proxy operations and return HTTP 401 when missing.
  • Updated /bot/v1/chat and /bot/v1/chat/stream handlers to call auth enforcement before forwarding requests.
  • Added regression tests verifying unauthenticated requests to both endpoints are rejected with 401.

Testing

  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • I have tested this on the following platforms:
  • Linux
  • macOS
  • Windows

Test notes:

  • Added endpoint-level regression coverage using httpx.ASGITransport for:
    • POST /bot/v1/chat unauthenticated → 401
    • POST /bot/v1/chat/stream unauthenticated → 401
  • In this CI/container environment, full pytest execution was blocked by missing pytest_asyncio dependency.

Checklist

  • My code follows the project's coding style
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

@github-actions
Copy link

github-actions bot commented Mar 26, 2026

Failed to generate code suggestions for PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@yeshion23333 yeshion23333

Labels

None yet

Projects

OpenViking project
Status: Backlog

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@13ernkastel @yeshion23333