fix(api): restrict MQTT sample endpoint to admins and disallow wildcard topics by Micsi · Pull Request #56 · Micsi/openbridgeserver

Micsi · 2026-05-18T06:37:52Z

The GET /instances/{instance_id}/mqtt/sample endpoint previously allowed any authenticated user to subscribe with server-side adapter credentials to an arbitrary topic, which could disclose sensitive broker payloads.
Wildcard topics and empty topics increase the risk of broad or unintended data disclosure when the server subscribes on behalf of callers.

Require admin-level authorization for the sampling endpoint by switching the dependency from get_current_user to get_admin_user in obs/api/v1/adapters.py for mqtt_sample_payload to prevent low-privileged API keys from invoking it.
Add topic validation in obs/api/v1/adapters.py to strip() the topic, reject empty topics, and return HTTP 400 if the topic contains MQTT wildcard characters # or +.
Preserve existing behavior and timeout handling for single-topic sampling and error handling when aiomqtt is unavailable or the MQTT connection fails.

Ran python -m compileall obs/api/v1/adapters.py and the module compiled successfully with no syntax errors.

fix(api): restrict mqtt sample endpoint and block wildcard topics

a8f2a5b

Micsi added aardvark codex labels May 18, 2026 — with ChatGPT Codex Connector

Micsi added aardvark Berechtigungen labels May 18, 2026

Provide feedback