🐛 fix(auth): throw Unauthorized when no valid auth method found#13368
🐛 fix(auth): throw Unauthorized when no valid auth method found#13368
Conversation
checkAuthMethod silently returned when neither Better Auth session nor API key was present, allowing unauthenticated requests through.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
@nekomeowww - This is a backend auth fix (throwing Unauthorized when no valid auth method is found). Please take a look. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## canary #13368 +/- ##
=========================================
Coverage 66.94% 66.95%
=========================================
Files 1903 1903
Lines 153684 153678 -6
Branches 15534 17678 +2144
=========================================
- Hits 102889 102888 -1
+ Misses 50675 50670 -5
Partials 120 120
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 972a334b01
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| // if apiKey exist | ||
| if (apiKey) return; | ||
|
|
||
| throw AgentRuntimeError.createError(ChatErrorType.Unauthorized); |
There was a problem hiding this comment.
Preserve legacy OAuth-authorized requests before rejecting
This new fallback throw rejects every request that lacks both betterAuthAuthorized and apiKey, but checkAuth still passes nextAuthAuthorized from the X-oauth-authorized header as a documented legacy compatibility signal. In environments still using that legacy OAuth header (without Better Auth session cookies), those requests now become 401 even when nextAuthAuthorized is true, which is a behavior regression introduced by this change. Handle nextAuthAuthorized before throwing, or remove the legacy path consistently if it is intentionally no longer supported.
Useful? React with 👍 / 👎.
|
❤️ Great PR @tjx666 ❤️ The growth of project is inseparable from user feedback and contribution, thanks for your contribution! If you are interesting with the lobehub developer community, please join our discord and then dm @arvinxx or @canisminor1990. They will invite you to our private developer channel. We are talking about the lobe-chat development or sharing ai newsletter around the world. |
# 🚀 release: 20260407 This release includes **148 commits**. Key updates are below. - **Response API tool execution is more capable and reliable** — Added hosted builtin tools + client-side function tools and improved tool-call streaming/completion behavior. [#13406](#13406) [#13414](#13414) [#13506](#13506) [#13555](#13555) - **Input and composition UX upgraded** — Added AI input auto-completion and multiple chat-input stability fixes. [#13458](#13458) [#13551](#13551) [#13481](#13481) - **Model/provider compatibility improved** — Better Gemini/Google tool schema handling and additional model updates. [#13429](#13429) [#13465](#13465) [#13613](#13613) - **Desktop and CLI reliability improved** — Gateway WebSocket support and desktop runtime upgrades. [#13608](#13608) [#13550](#13550) [#13557](#13557) - **Security hardening continued** — Fixed auth and sanitization risks and upgraded vulnerable dependencies. [#13535](#13535) [#13529](#13529) [#13479](#13479) ### Models & Providers - Added/updated support for `glm-5v-turbo`, GLM-5.1 updates, and qwen3.5-omni series. [#13487](#13487) [#13405](#13405) [#13422](#13422) - Added additional ImageGen providers/models (Wanxiang 2.7 and Keling from Qwen). [#13478](#13478) - Improved Gemini/Google tool schema and compatibility handling across runtime paths. [#13429](#13429) [#13465](#13465) [#13613](#13613) ### Response API & Runtime - Added hosted builtin tools in Response API and client-side function tool execution support. [#13406](#13406) [#13414](#13414) - Improved stream tool-call argument handling and `response.completed` output correctness. [#13506](#13506) [#13555](#13555) - Improved runtime error/context handling for intervention and provider edge cases. [#13420](#13420) [#13607](#13607) ### Desktop App - Bumped desktop dependencies and runtime integrations (`agent-browser`, `electron`). [#13550](#13550) [#13557](#13557) - Simplified desktop release channel setup by removing nightly release flow. [#13480](#13480) ### CLI - Added OpenClaw migration command. [#13566](#13566) - Added local device binding support for `lh agent run`. [#13277](#13277) - Added WebSocket gateway support and reconnect reliability improvements. [#13608](#13608) [#13418](#13418) ### Security - Removed risky `apiKey` fallback behavior in webapi auth path to prevent bypass risk. [#13535](#13535) - Sanitized HTML artifact rendering and iframe sandboxing to reduce XSS-to-RCE risk. [#13529](#13529) - Upgraded nodemailer to v8 to address SMTP command injection advisory. [#13479](#13479) ### Bug Fixes - Fixed image generation model default switch issues. [#13587](#13587) - Fixed subtopic re-fork message scope behavior and agent panel reset edge cases. [#13606](#13606) [#13556](#13556) - Fixed chat-input freeze on paste and mention plugin behavior. [#13551](#13551) [#13415](#13415) - Fixed auth/social sign-in and settings UX edge cases. [#13368](#13368) [#13392](#13392) [#13338](#13338) ### Credits Huge thanks to these contributors: @chriszf @hardy-one @Innei @lijian @neko @OctopusNote @rdmclin2 @rivertwilight @RylanCai @suyua9 @sxjeru @Tsuki @wangyk @WindSpiritSR @yizhuo @YuTengjing @hezhijie0327 @arvinxx
Summary
checkAuthMethodinsrc/app/(backend)/middleware/auth/utils.tssilently returned when neither Better Auth session nor API key was present. This was a regression introduced in #11711 (Clerk removal) — the Clerk branch had the onlythrowstatement, and removing it left the function without a fallback rejection.This allowed requests with only a JWT auth header (but no valid session) to pass through authentication, bypassing ban enforcement and session revocation.
Fix
Add
throw AgentRuntimeError.createError(ChatErrorType.Unauthorized)at the end ofcheckAuthMethodwhen no auth method succeeds.Test plan