admin/Hermes-ui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: patch auth bypass via case-sensitive path matching (#77)

Browse Source 
- Normalize request path to lowercase before auth check to prevent
  bypassing authentication with uppercase paths like /API/hermes/sessions
- Auto-restart server after in-page update via detached hermes-web-ui restart

Closes #77

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
ekko
2026-04-20 15:21:47 +08:00
parent eb6c2dc9f6
commit f3a980bb2e
2 changed files with 11 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/server/src/services/auth.ts
+1 -1
View File
@@ -48,7 +48,7 @@ export async function authMiddleware(token: string | null) {
}
// Skip non-API paths (static files, health check, SPA)
const path = ctx.path
const path = ctx.path.toLowerCase()
if (
path === '/health' ||
(!path.startsWith('/api') && !path.startsWith('/v1') && path !== '/webhook')