lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update tasks documentation

Browse Source 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Lukas
2026-04-26 15:12:54 +02:00
parent 57eacf39ba
commit 46fa7c78bc
1 changed files with 0 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
Docs/Tasks.md
View File

@@ -1,40 +1,3 @@
## TASK-026 — OpenAPI docs (`/docs`, `/redoc`) exposed without authentication in production
**Severity:** Medium
### Where found
`backend/app/main.py``FastAPI(title="BanGUI", ...)` with no `docs_url`, `redoc_url`, or `openapi_url` override.
### Why this is needed
FastAPI serves interactive API documentation at `/docs` (Swagger UI) and `/redoc` by default, accessible to any unauthenticated user. These pages expose every endpoint URL, all request and response schemas, and allow direct API invocation from the browser. An attacker can enumerate all available routes, understand input/output models, and attempt attacks without any prior knowledge of the API.
### Goal
Disable API docs in production, or protect them behind authentication.
### What to do
1. Add a `BANGUI_ENABLE_DOCS: bool = Field(default=False, ...)` setting to `Settings`.
2. In `create_app()`:
```python
docs_url = "/api/docs" if resolved_settings.enable_docs else None
redoc_url = "/api/redoc" if resolved_settings.enable_docs else None
openapi_url = "/api/openapi.json" if resolved_settings.enable_docs else None
app = FastAPI(..., docs_url=docs_url, redoc_url=redoc_url, openapi_url=openapi_url)
```
3. In `compose.debug.yml`, set `BANGUI_ENABLE_DOCS: "true"`.
4. Production (`compose.prod.yml`) leaves `BANGUI_ENABLE_DOCS` unset (defaults to `false`).
### Possible traps and issues
- The `SetupRedirectMiddleware` must allow `/api/docs` and `/api/openapi.json` in `_ALWAYS_ALLOWED` (or behind auth — a protected docs endpoint requires a custom Starlette route with `require_auth`).
- If you want protected docs (only accessible when logged in), use a custom route that returns the Swagger HTML after `require_auth`.
### Docs changes needed
- `Backend-Development.md` — document the `BANGUI_ENABLE_DOCS` flag.
### Doc references
- [Backend-Development.md](Backend-Development.md) — configuration options
---
## TASK-027 — Debug compose hardcodes a publicly known weak session secret ## TASK-027 — Debug compose hardcodes a publicly known weak session secret
**Severity:** Medium **Severity:** Medium