Files
agent-framework/python/packages
T
Evan Mattson fbccad091b [BREAKING] Python: DevUI: tighten default access controls and CORS posture (#5740)
* Python: DevUI: tighten default access controls and CORS posture

Adjusts the default configuration of the DevUI server so the out-of-the-box
posture matches what most callers expect when running locally. Adds explicit
opt-outs for callers who need the previous behavior.

- DevServer gains auth_enabled and auth_token constructor params; auth is on by
  default. Auto-generates and logs a token when none provided.
- CORS default is an empty allowlist on every host. Callers wanting cross-origin
  pass cors_origins explicitly.
- Streaming /v1/responses no longer sets Access-Control-Allow-Origin directly;
  CORSMiddleware owns all CORS decisions.
- Loopback binds enforce a Host-header allowlist.
- /meta moved out of the auth bypass list (was alongside /health and /).
- serve() default flipped to auth_enabled=True; passes auth args through to
  DevServer instead of using env-var indirection.
- CLI: --auth opt-in replaced with --no-auth opt-out; --auth-token preserved.
- Tests cover the eight behaviors above in test_server.py.

* Python: DevUI: address PR review comments

- /meta now derives auth_required from self.auth_enabled instead of
  reading DEVUI_AUTH_TOKEN, so the auto-generated and explicit
  auth_token paths report correctly.
- Reorder middleware so the loopback Host-header allowlist is registered
  last; Starlette wraps later-added middleware around earlier-added ones,
  so the host check now runs outermost (before CORS/auth) as intended.
- Rework comments to describe the behavior rather than threat scenarios.
- Streaming-headers and CORS tests now construct the server with an
  explicit auth_token and send a Bearer header, so the assertions
  actually exercise the streaming/CORS path instead of short-circuiting
  in the auth middleware.
fbccad091b ยท 2026-05-14 00:37:46 +00:00
History
..