Skip to content

fix: require explicit opt-in for anonymous mode#1978

Open
failsafesecurity wants to merge 1 commit into
langflow-ai:mainfrom
failsafesecurity:fix/find-001-explicit-no-auth-opt-in
Open

fix: require explicit opt-in for anonymous mode#1978
failsafesecurity wants to merge 1 commit into
langflow-ai:mainfrom
failsafesecurity:fix/find-001-explicit-no-auth-opt-in

Conversation

@failsafesecurity

@failsafesecurity failsafesecurity commented Jun 26, 2026

Copy link
Copy Markdown

Summary

  • require explicit OPENRAG_ALLOW_NO_AUTH=true before anonymous mode activates
  • document that leaving Google OAuth credentials blank no longer silently enables unauthenticated access
  • add regression coverage for the no-auth opt-in gate and missing-cookie auth behavior

Security context

OpenRAG currently treats missing Google OAuth credentials as an implicit no-auth mode when IBM auth is disabled. In default OSS configuration, that can turn unauthenticated requests into authenticated AnonymousUser requests and expose protected application surfaces. This patch makes anonymous mode an explicit local-development opt-in instead of a silent fallback.

Validation

  • python3 -m py_compile src/config/settings.py tests/unit/config/test_no_auth_mode.py tests/unit/dependencies/test_auth_jwt_attachment.py
  • full pytest was not available in the audit workspace because repo dependencies were not installed there

Notes

  • no public submission has been created yet; this branch is prepared for maintainer review only

Summary by CodeRabbit

  • Bug Fixes

    • Tightened anonymous access behavior so blank Google OAuth credentials no longer automatically allow no-auth mode.
    • Added a safer local-development option to explicitly enable anonymous access when needed.
    • Improved login error handling so requests without authentication now return a clear 401 response.
  • Tests

    • Added coverage for the updated no-auth and unauthenticated request behavior.

@github-actions github-actions Bot added community backend 🔷 Issues related to backend services (OpenSearch, Langflow, APIs) tests and removed community labels Jun 26, 2026
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 255eeb9e-6764-4165-ab9c-d0437abc9fab

📥 Commits

Reviewing files that changed from the base of the PR and between 2d7f0ba and 23c12f6.

📒 Files selected for processing (4)
  • .env.example
  • src/config/settings.py
  • tests/unit/config/test_no_auth_mode.py
  • tests/unit/dependencies/test_auth_jwt_attachment.py

Walkthrough

Adds an explicit OPENRAG_ALLOW_NO_AUTH setting, updates no-auth selection to require it, and expands tests for the new auth behavior.

Changes

No-auth gating

Layer / File(s) Summary
Flag exposure and docs
.env.example, src/config/settings.py
OPENRAG_ALLOW_NO_AUTH is added with a default of false, and the Google login notes reference it as an allowed alternative to providing OAuth credentials.
No-auth decision logic
src/config/settings.py
is_no_auth_mode() now returns false when IBM auth is enabled, requires the new flag, and only then treats missing Google OAuth credentials as no-auth.
Auth behavior tests
tests/unit/config/test_no_auth_mode.py, tests/unit/dependencies/test_auth_jwt_attachment.py
Tests cover the default and enabled flag cases for is_no_auth_mode() and the 401 path when get_current_user() runs without a cookie outside no-auth mode.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 16.67% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly captures the main change: anonymous mode now requires explicit opt-in.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added bug 🔴 Something isn't working. and removed bug 🔴 Something isn't working. labels Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backend 🔷 Issues related to backend services (OpenSearch, Langflow, APIs) bug 🔴 Something isn't working. tests

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant