Skip to content

Fix authentication bypass in multi-API deployments#674

Merged
bhimrazy merged 6 commits intoLightning-AI:mainfrom
Lidang-Jiang:fix/multi-api-auth-bypass
Apr 7, 2026
Merged

Fix authentication bypass in multi-API deployments#674
bhimrazy merged 6 commits intoLightning-AI:mainfrom
Lidang-Jiang:fix/multi-api-auth-bypass

Conversation

@Lidang-Jiang
Copy link
Copy Markdown
Contributor

@Lidang-Jiang Lidang-Jiang commented Apr 4, 2026

Summary

Fixes #659 — When serving multiple APIs via LitServer([api1, api2, ...]), only the first API's authorize() method is checked. Subsequent APIs with custom authorization are left unprotected.

Root cause

setup_auth() always uses self.lit_api (set to the first API at init), ignoring per-API auth methods:

def setup_auth(self):
    if hasattr(self.lit_api, "authorize") and callable(self.lit_api.authorize):
        return self.lit_api.authorize  # ← Always the FIRST API

Fix (3 lines changed)

  • setup_auth() now accepts an optional lit_api parameter
  • _register_api_endpoints() and _register_spec_endpoints() pass the specific lit_api
  • Internal endpoints (/, /health, /info) retain existing behavior
def setup_auth(self, lit_api=None):
    target = lit_api or self.lit_api
    if hasattr(target, "authorize") and callable(target.authorize):
        return target.authorize
Before (unmodified code — 3 new tests all FAIL) 
FAILED tests/unit/test_auth.py::test_multi_api_second_api_auth_enforced - assert 200 == 401
FAILED tests/unit/test_auth.py::test_multi_api_mixed_auth - assert 200 == 401
FAILED tests/unit/test_auth.py::test_multi_api_both_with_different_auth - assert 200 == 401
============================== 3 failed in 4.40s ===============================

SecureAPI returns 200 without credentials — auth bypass confirmed.

After (with fix — all 7 tests PASS) 
tests/unit/test_auth.py::test_authorized_custom PASSED                   [ 14%]
tests/unit/test_auth.py::test_not_authorized_custom PASSED               [ 28%]
tests/unit/test_auth.py::test_authorized_api_key PASSED                  [ 42%]
tests/unit/test_auth.py::test_not_authorized_api_key PASSED              [ 57%]
tests/unit/test_auth.py::test_multi_api_second_api_auth_enforced PASSED  [ 71%]
tests/unit/test_auth.py::test_multi_api_mixed_auth PASSED                [ 85%]
tests/unit/test_auth.py::test_multi_api_both_with_different_auth PASSED  [100%]

============================== 7 passed in 8.09s ===============================

Full suite: 76 passed, 3 skipped

Test plan

  • test_multi_api_second_api_auth_enforced — PublicAPI(no auth) + SecureAPI(auth) → second API properly protected
  • test_multi_api_mixed_auth — auth API first, open API second → each works independently
  • test_multi_api_both_with_different_auth — two APIs with different tokens → cross-token rejected
  • Existing auth tests still pass (4/4)
  • ruff check and pre-commit hooks pass

@Lidang-Jiang
Fix authentication bypass in multi-API deployments
1d188c4 
- setup_auth() now accepts optional lit_api parameter for per-endpoint auth
- Each API endpoint uses its own authorize() method instead of only the first API's
- Add tests for multi-API auth isolation with mixed and different auth methods

Fixes Lightning-AI#659

Signed-off-by: Lidang-Jiang <lidangjiang@gmail.com>
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 6, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85%. Comparing base (202f724) to head (3d2c437).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@         Coverage Diff         @@
##           main   #674   +/-   ##
===================================
- Coverage    85%    85%   -0%     
===================================
  Files        39     39           
  Lines      3278   3279    +1     
===================================
- Hits       2774   2773    -1     
- Misses      504    506    +2
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

bhimrazy added 5 commits April 7, 2026 11:14
@bhimrazy
Merge branch 'main' into fix/multi-api-auth-bypass
fe72733
@bhimrazy
fix: update setup_auth method to use type hint for lit_api parameter
fa80613
@bhimrazy
fix(tests): use wrong token instead of missing header to avoid FastAP…
7bf156f 
…I 403 vs 401 version difference

HTTPBearer() raises 403 on missing Authorization header in FastAPI 0.112 (oldest CI)
but 401 in newer versions. Sending a wrong token ensures authorize() itself raises
401 consistently across all supported FastAPI versions.
@bhimrazy
refactor(tests): remove redundant NoAuthAPI class and inline request …
116d9b4 
…data

- Replace NoAuthAPI with SimpleLitAPI (already defined in the same file)
- Inline json payload dicts directly in client.post() calls
- Remove shadowing of Python builtin `input` variable
@bhimrazy
refactor(tests): replace AuthedApiAlpha/Beta with single TokenAuthedL…
3d2c437 
…itAPI class

Collapse two identical auth API classes into one parameterized TokenAuthedLitAPI
that inherits SimpleLitAPI and accepts a token argument.
bhimrazy
bhimrazy approved these changes Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@bhimrazy bhimrazy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Lidang-Jiang for the fixes.

I also added a minor improvement.

@bhimrazy bhimrazy merged commit 31024b8 into Lightning-AI:main Apr 7, 2026
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andyland andyland andyland approved these changes

@bhimrazy bhimrazy bhimrazy approved these changes

@aniketmaurya aniketmaurya Awaiting requested review from aniketmaurya aniketmaurya is a code owner

@ethanwharris ethanwharris Awaiting requested review from ethanwharris ethanwharris is a code owner

@justusschock justusschock Awaiting requested review from justusschock justusschock is a code owner

@tchaton tchaton Awaiting requested review from tchaton tchaton is a code owner

@k223kim k223kim Awaiting requested review from k223kim k223kim is a code owner

@KaelanDt KaelanDt Awaiting requested review from KaelanDt KaelanDt is a code owner

@dmitsf dmitsf Awaiting requested review from dmitsf dmitsf is a code owner

@Abdul-0x4A Abdul-0x4A Awaiting requested review from Abdul-0x4A Abdul-0x4A is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[SECURITY] Authentication bypass in multi-API deployments

3 participants

@Lidang-Jiang @andyland @bhimrazy