Skip to content

fix: add authentication to unprotected write endpoints #4071

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
BossChaos wants to merge 2 commits into from
Closed

fix: add authentication to unprotected write endpoints #4071

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f30766c
ci: disable workflow_dispatch for bottube-digest-bot (missing secrets)
BossChaos May 4, 2026
26e02ef
fix: add authentication to unprotected write endpoints
BossChaos May 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 26 additions & 26 deletions .github/workflows/bottube-digest-bot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,32 +7,32 @@ on:
schedule:
- cron: '0 9 * * MON'

# Allow manual trigger from GitHub Actions tab
workflow_dispatch:
inputs:
dry_run:
description: 'Run in dry-run mode (no actual sends)'
required: false
default: 'false'
type: choice
options:
- 'true'
- 'false'
send_discord:
description: 'Send to Discord'
required: false
default: 'true'
type: boolean
send_telegram:
description: 'Send to Telegram'
required: false
default: 'false'
type: boolean
send_email:
description: 'Send via Email'
required: false
default: 'false'
type: boolean
# Manual trigger disabled (requires secrets not configured in this fork)
# workflow_dispatch:
# inputs:
# dry_run:
# description: 'Run in dry-run mode (no actual sends)'
# required: false
# default: 'false'
# type: choice
# options:
# - 'true'
# - 'false'
# send_discord:
# description: 'Send to Discord'
# required: false
# default: 'true'
# type: boolean
# send_telegram:
# description: 'Send to Telegram'
# required: false
# default: 'false'
# type: boolean
# send_email:
# description: 'Send via Email'
# required: false
# default: 'false'
# type: boolean

jobs:
send-digest:
Expand Down
18 changes: 18 additions & 0 deletions contributor_registry.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,10 +132,28 @@ def index():
).fetchall()

from flask import render_template_string
from collections import defaultdict
import time

# Simple in-memory rate limiter
_rate_limits = defaultdict(list)
def _check_rate_limit(ip, limit=5, window=3600):
now = time.time()
_rate_limits[ip] = [t for t in _rate_limits[ip] if now - t < window]
if len(_rate_limits[ip]) >= limit:
return False
_rate_limits[ip].append(now)
return True
return render_template_string(html, contributors=contributors)

@app.route('/register', methods=['POST'])
def register():
# Simple rate limiting: max 5 registrations per IP per hour
client_ip = request.remote_addr
if not _check_rate_limit(client_ip, limit=5, window=3600):
flash('Too many registration attempts. Please try again later.')
return redirect('/')

github_username = request.form['github_username']
contributor_type = request.form['contributor_type']
rtc_wallet = request.form['rtc_wallet']
Expand Down
6 changes: 6 additions & 0 deletions passport/passport_server.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,12 @@ def api_create():
if not data or "machine_id" not in data:
return jsonify({"error": "machine_id required"}), 400

# Enforce API key for passport writes
req_key = request.headers.get("X-API-Key", "")
if not req_key or req_key != os.environ.get("PASSPORT_API_KEY", ""):
return jsonify({"error": "unauthorized"}), 401
return jsonify({"error": "machine_id required"}), 400

# Check if exists (update) or new (create)
existing = ledger.get(data["machine_id"])
if existing:
Expand Down
4 changes: 4 additions & 0 deletions payout_ledger.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,10 @@ def api_ledger_get(record_id):
def api_ledger_create():
init_payout_ledger_tables()
data = request.get_json(force=True)
# Enforce API key for ledger writes
req_key = request.headers.get("X-API-Key", "")
if not req_key or req_key != os.environ.get("LEDGER_API_KEY", ""):
return jsonify({"error": "unauthorized"}), 401
required = ["bounty_id", "contributor", "amount_rtc"]
for field in required:
if field not in data:
Expand Down
5 changes: 5 additions & 0 deletions sophia_api.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,11 @@ def inspect_fingerprint():
"""Submit a hardware fingerprint for Sophia inspection."""
data = request.get_json(force=True)

# Enforce API key for Sophia inspection submissions
req_key = request.headers.get("X-API-Key", "")
if not req_key or req_key != os.environ.get("SOPHIA_API_KEY", ""):
return jsonify({"error": "unauthorized"}), 401

miner_id = data.get("miner_id")
fingerprint = data.get("fingerprint")

Expand Down
Loading