Skip to content

Fix APE authentication to use FastAPI Depends pattern#371

Merged
Lightheartdevs merged 1 commit intoLight-Heart-Labs:mainfrom
reo0603:fix/ape-auth-verify-endpoint
Mar 18, 2026
Merged

Fix APE authentication to use FastAPI Depends pattern#371
Lightheartdevs merged 1 commit intoLight-Heart-Labs:mainfrom
reo0603:fix/ape-auth-verify-endpoint

Conversation

@reo0603
Copy link
Contributor

@reo0603 reo0603 commented Mar 18, 2026

Summary

Fixes APE authentication to use FastAPI's Depends() pattern consistently across all endpoints, matching the pattern used in dashboard-api.

Security Issues Fixed

Before: /policy and /metrics endpoints had NO authentication
After: All endpoints require API key via Depends(verify_api_key)

Changes

  • Added Depends import from fastapi
  • /verify: Changed from manual await verify_api_key(request) to Depends(verify_api_key)
  • /audit: Changed from manual header check to Depends(verify_api_key)
  • /policy: Added authentication (was unauthenticated)
  • /metrics: Added authentication (was unauthenticated)

Consistency

This matches the auth pattern used throughout dashboard-api routers:

@router.get("/api/agents/metrics")
async def get_agent_metrics(api_key: str = Depends(verify_api_key)):

The manual auth checks in APE were inconsistent and left security gaps.

Lightheartdevs
Lightheartdevs reviewed Mar 18, 2026
View reviewed changes
Copy link
Collaborator

@Lightheartdevs Lightheartdevs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: Fix APE authentication to use FastAPI Depends pattern

Good PR — fixes a real security gap (/policy and /metrics were unauthenticated) and replaces inconsistent manual auth with the idiomatic Depends() pattern per CLAUDE.md's DIP guidance.

Minor issue (non-blocking)

Type mismatch on verify_api_key return value vs. Depends() annotation
dream-server/extensions/services/ape/main.py lines 248-251, 275, etc.

verify_api_key returns True (a bool), but every endpoint annotates the injected value as api_key: str = Depends(verify_api_key). This is a type lie — api_key will be True at runtime, not a string. Since the return value is never actually used in any endpoint body, the cleanest fix is either:

  1. Return None (or nothing) and annotate as None = Depends(verify_api_key), or
  2. Return the actual key (return x_api_key) and keep the str annotation — this is what dashboard-api does with its verify_api_key, which returns the credential string.

Option 2 would be more consistent with dashboard-api's pattern and makes the dependency genuinely useful if a future endpoint needs to know which key was used.

What looks good

  • /verify: Correctly migrated from broken await verify_api_key(request) (was passing Request where Header param was expected) to Depends(). Pre-existing bug fixed.
  • /audit: Removed duplicated inline auth check in favor of the shared dependency. Clean.
  • /policy, /metrics: Now auth-protected. Security improvement.
  • Request parameter correctly retained on /verify since request.client.host is used for audit logging.
  • /health correctly left unauthenticated (liveness probes must not require auth).

LGTM with the optional type annotation cleanup.

@Lightheartdevs Lightheartdevs merged commit 8ff7fad into Light-Heart-Labs:main Mar 18, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Lightheartdevs Lightheartdevs Lightheartdevs left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@reo0603 @Lightheartdevs