Assets under /assets/ are accessible without authentication

[erostefano]

Description

When authentication is enabled, static files served under the /assets/ path are still accessible without being logged in.

https://domain.dev/assets/

Problem

This allows unauthenticated access to application assets despite authentication being enabled.

Expected behavior

All routes should respect authentication when auth is enabled.

Actual behavior

Requests to /assets/* succeed without authentication.

Additional context

This was observed on a deployment with authentication enabled and verified using a logged-out browser session.

[ralphocdol]

assets-path is meant for a client-side css and assets data. If one wants to style the login form, they would need it. A separate authenticated-asset-path or per user or something is probably better.

[svilenmarkov]

assets-path is meant for a client-side css and assets data.

Pretty much this - it's meant for public data. What's the use case for serving anything sensitive under assets?

[erostefano]

assets-path is meant for a client-side css and assets data.

Pretty much this - it's meant for public data. What's the use case for serving anything sensitive under assets?

If it’s meant for public data, it should be called /public. Anything under /assets could be sensitive.

Is there now a built-in approach to serve sensitive data securely?

[ralphocdol]

What's the use case for serving anything sensitive under assets?

The pre-cached one in the discord is what I could think of at least. Although, its more of the idea of serving an authenticated path to store JSON files that were generated by something and to be used by custom-api. OP is probably using it for something similar.

[erostefano]

@ralphocdol : That's exactly my use case.

One service has no API. As a workaround it creates a JSON file under assets which I request using the widget custom-api.

[svilenmarkov]

As a workaround it creates a JSON file under assets which I request using the widget custom-api.

Sounds like an XY problem. In this case, it would make a lot more sense to simply add a file property to custom-api which would allow you to read local JSON files.

[not-first]

That would simplify my custom hacks a lot. Some custom scripts I have write their output to JSON files, and I currently run another nginx container just to serve them to glance.

Being able to use their direct files as a source for glance would be amazing.

[erostefano]

In my opinion, the assets path can contain both sensitive and non-sensitive data. Therefore, this should be treated as a bug fix rather than a feature request.