[security] Unauthenticated API endpoints allow unauthorized access #1783
Description
đź”´ critical - security
File: pkg/server/server.go (line 34)
Code
group := e.Group("/api")
// List all available agents
group.GET("/agents", s.getAgents)
// Get an agent by id
group.GET("/agents/:id", s.getAgentConfig)
// List all sessions
group.GET("/sessions", s.getSessions)
// Get a session by id
group.GET("/sessions/:id", s.getSession)
// Resume a session by id
group.POST("/sessions/:id/resume", s.resumeSession)
// Toggle YOLO mode for a session
group.POST("/sessions/:id/tools/toggle", s.toggleSessionYolo)
// Toggle thinking mode for a session
group.POST("/sessions/:id/thinking/toggle", s.toggleSessionThinking)
// Update session permissions
group.PATCH("/sessions/:id/permissions", s.updateSessionPermissions)
// Update session title
group.PATCH("/sessions/:id/title", s.updateSessionTitle)
// Create a new session
group.POST("/sessions", s.createSession)
// Delete a session
group.DELETE("/sessions/:id", s.deleteSession)
// Run an agent loop
group.POST("/sessions/:id/agent/:agent", s.runAgent)
group.POST("/sessions/:id/agent/:agent/:agent_name", s.runAgent)
group.POST("/sessions/:id/elicitation", s.elicitation)Problem
No authentication or authorization middleware is applied to the API endpoints. This allows any client to perform sensitive operations—such as creating, deleting, or resuming sessions—without proper access control.
Suggested Fix
Integrate robust authentication and authorization middleware (e.g., JWT-based auth) to secure all /api endpoints so that only authorized users can access and modify session and agent data.
Found by nightly codebase scan