Skip to content

fix(server): optional local auth for destructive HTTP endpoints#429

Merged
Alan-TheGentleman merged 1 commit into
mainfrom
fix/optional-http-auth-destructive
May 27, 2026
Merged

fix(server): optional local auth for destructive HTTP endpoints#429
Alan-TheGentleman merged 1 commit into
mainfrom
fix/optional-http-auth-destructive

Conversation

@Alan-TheGentleman
Copy link
Copy Markdown
Collaborator

@Alan-TheGentleman Alan-TheGentleman commented May 27, 2026

Summary

  • Adds optional Bearer-token auth for destructive and sensitive HTTP endpoints via the ENGRAM_HTTP_TOKEN env var.
  • When unset (default), all existing behavior is unchanged — zero-config preserved.
  • When set, DELETE /sessions/{id}, DELETE /observations/{id}, DELETE /prompts/{id}, GET /export, POST /import, and POST /projects/migrate require Authorization: Bearer <token>; read endpoints are never gated.
  • Constant-time comparison (hmac.Equal) prevents timing attacks; stdlib only, no new dependencies. The token is read at request time, so changes take effect without a restart.

Configuration

export ENGRAM_HTTP_TOKEN="$(openssl rand -hex 32)"
engram serve

Clients then pass Authorization: Bearer <token> for any destructive or export/import operation.

Test plan

  • TestOptionalAuth_NoToken, _WithToken_NoCredential, _WithToken_WrongCredential, _WithToken_CorrectCredential, _ReadEndpointsUnaffected, _TokenReadFromEnvAtRequestTime
  • go test ./... && go vet ./... && go build ./... clean

Closes #200

@Alan-TheGentleman
security(server): add optional local auth for destructive HTTP endpoints
edf4545 
When ENGRAM_HTTP_TOKEN is set, DELETE /sessions/{id},
DELETE /observations/{id}, DELETE /prompts/{id}, GET /export,
POST /import, and POST /projects/migrate require a matching
Authorization: Bearer <token> header. Comparison is constant-time
via hmac.Equal to prevent timing attacks. When the env var is unset
behaviour is unchanged — zero-config is fully preserved.

Closes #200
Copilot AI review requested due to automatic review settings May 27, 2026 15:12
@Alan-TheGentleman Alan-TheGentleman added the type:bug Bug fix label May 27, 2026
@Alan-TheGentleman Alan-TheGentleman merged commit 6868287 into main May 27, 2026
8 of 9 checks passed
@Alan-TheGentleman Alan-TheGentleman deleted the fix/optional-http-auth-destructive branch May 27, 2026 15:13
@Alan-TheGentleman Alan-TheGentleman review requested due to automatic review settings May 27, 2026 15:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

type:bug Bug fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

security(http-api): add optional local auth for export, import, and destructive endpoints

1 participant

@Alan-TheGentleman