fix: require admin auth for memory clear#4883
Conversation
github-actions
Bot
added
the
BCOS-L1
lavishsaluja
left a comment
lavishsaluja
left a comment
There was a problem hiding this comment.
Approved current head e9587fa62fe7ba05f0757500c73f661ad98242e4.
This is the focused fix for #4880. Unlike the earlier copied-subtree attempts, this patches the live bounties/issue-2285/src/memory_routes.py module named in the issue. DELETE /api/memory/clear now fails closed when MEMORY_ADMIN_KEY is unset and requires a matching X-Admin-Key or X-API-Key before calling engine.store.clear_agent_memory(agent_id). The updated route tests cover valid admin access, missing/wrong keys, and the unconfigured-key fail-closed path.
Validation performed locally:
python -m pytest bounties/issue-2285/tests/test_memory_routes.py -q-> 32 passed, 13 subtests passedpython -m py_compile bounties/issue-2285/src/memory_routes.py bounties/issue-2285/tests/test_memory_routes.py-> passedgit diff --check origin/main...codex-review-pr-4883-> passedpython tools/bcos_spdx_check.py --base-ref origin/main-> OK
No blocking findings in this diff.
Code Review: Require admin auth for memory clearSummaryAdds Positive ✅
NoteI also submitted PR #4882 for the same issue (bug #4880). Both PRs implement the same fix. This PR (#4883) is essentially identical in approach. Either one works — recommend merging whichever was first or has better test coverage. LGTM ✅ Same fix as #4882. |
|
Clarification: PR #4883 patches the live file named in #4880: The earlier PR #4882 at head |
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Great contribution! LGTM.
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Great contribution! LGTM.
loganoe
left a comment
loganoe
left a comment
There was a problem hiding this comment.
Approved. This applies the default-deny admin-key check to the correct bounties/issue-2285/src/memory_routes.py clear endpoint, accepts X-Admin-Key/X-API-Key, and preserves existing memory behavior for authorized callers.
Validation performed:
git diff --check origin/main...HEADpython3 -m py_compile bounties/issue-2285/src/memory_routes.py bounties/issue-2285/tests/test_memory_routes.pyPYTEST_DISABLE_PLUGIN_AUTOLOAD=1 /tmp/rustchain-flask-venv/bin/python -m pytest -q bounties/issue-2285/tests/test_memory_routes.py-> 32 passed, 13 subtests passed
508704820
left a comment
508704820
left a comment
There was a problem hiding this comment.
Code Review: Require Admin Auth for Memory Clear
Summary
Adds _require_admin() to memory API /clear endpoint with default-deny pattern: when MEMORY_ADMIN_KEY is not configured, returns 401.
What Works Well
- Default-deny: Correct security posture
- hmac.compare_digest: Constant-time comparison
- Consistent with #4882: Same correct pattern
Verdict: Approve
Correct implementation following the default-deny pattern established in #4882.
5 participants
Summary
X-Admin-KeyorX-API-Keywhen it matchesMEMORY_ADMIN_KEYFixes #4880
/claim #4880
Wallet:
RTC253255d034065a839cd421811ec589ae5b694ffcValidation
python -m pytest bounties\issue-2285\tests\test_memory_routes.py -q-> 32 passedpython -m py_compile bounties\issue-2285\src\memory_routes.py bounties\issue-2285\tests\test_memory_routes.py-> passedgit diff --check-> passedpython tools\bcos_spdx_check.py --base-ref origin/main-> OK