Harden REST auth defaults: startup fail-fast + opt-in WS query-key fallback by hiroshitanaka-creator · Pull Request #433 · hiroshitanaka-creator/Po_core

hiroshitanaka-creator · 2026-03-14T15:46:12Z

Ensure production-safe defaults for API-key authentication so misconfiguration fails early instead of allowing a partially-unprotected server to start.
Remove always-on WebSocket query-parameter fallback (a leakage risk) and make it an explicit opt-in for browser-compatibility cases.
Keep shared evaluate_auth_policy() design and make minimal, testable changes with docs and examples aligned.

Added ws_allow_query_api_key: bool = False to APISettings (env PO_WS_ALLOW_QUERY_API_KEY) and wired it into the WS auth resolver so ?api_key= is accepted only when explicitly enabled.
Implemented startup validation _validate_startup_auth_configuration() called from create_app() that raises a RuntimeError when PO_SKIP_AUTH=false and PO_API_KEY is empty/blank (dev mode with PO_SKIP_AUTH=true remains allowed).
Hardened WebSocket handling by changing _resolve_ws_auth_key() to prefer header auth and only use query param when ws_allow_query_api_key is true, and preserved the shared evaluate_auth_policy() path.
Updated docs/examples/config (README.md, .env.example, docker-compose.yml) and adjusted benchmark fixture to create the app with explicit settings and a warm-up request to avoid cold-start skew.
Added/updated tests in tests/unit/test_rest_api.py and tests/benchmarks/test_rest_perf.py to cover startup fail-fast, WS query-param opt-in, and benchmark compatibility.

Ran pytest -q tests/unit/test_rest_api.py and the file passed (new startup + WS tests included).
Ran pytest -q tests/benchmarks/test_rest_perf.py after adding warm-up; benchmarks passed.
Ran the full test suite pytest -q which completed successfully: final run reported 3724 passed, 4 skipped.

Harden REST auth defaults with startup fail-fast and WS opt-in fallback

970f5e4

Provide feedback