Timmy_Foundation/hermes-agent
15
0
Fork 0
Code Issues 288 Pull Requests 93 Actions 5 Packages Projects Releases Wiki Activity
Files
4e78963fe86a5f2758bf754a7979dc31aaf1a3db
hermes-agent/gateway/platforms
History
coffee a04854800f fix(security): require auth for session continuation and warn on missing API key 
Two security hardening changes for the API server:

1. **Startup warning when no API key is configured.**
   When `API_SERVER_KEY` is not set, all endpoints accept unauthenticated
   requests.  This is the default configuration, but operators may not
   realize the security implications.  A prominent warning at startup
   makes the risk visible.

2. **Require authentication for session continuation.**
   The `X-Hermes-Session-Id` header allows callers to load and continue
   any session stored in state.db.  Without authentication, an attacker
   who can reach the API server (e.g. via CORS from a malicious page,
   or on a shared host) could enumerate session IDs and read conversation
   history — which may contain API keys, passwords, code, or other
   sensitive data shared with the agent.

   Session continuation now returns 403 when no API key is configured,
   with a clear error message explaining how to enable the feature.
   When a key IS configured, the existing Bearer token check already
   gates access.

This is defense-in-depth: the API server is intended for local use,
but defense against cross-origin and shared-host attacks is important
since the default binding is 127.0.0.1 which is reachable from
browsers via DNS rebinding or localhost CORS.
2026-04-10 02:58:21 -07:00
..
__init__.py
Enhance CLI with multi-platform messaging integration and configuration management
2026-02-02 19:01:51 -08:00
ADDING_A_PLATFORM.md
docs: finish cron terminology cleanup
2026-03-14 19:20:58 -07:00
api_server.py
fix(security): require auth for session continuation and warn on missing API key
2026-04-10 02:58:21 -07:00
base.py
fix: add SOCKS proxy support, DISCORD_PROXY env var, and send_message proxy coverage
2026-04-09 14:19:06 -07:00
bluebubbles.py
feat(gateway): add BlueBubbles iMessage platform adapter (#6437)
2026-04-08 23:54:03 -07:00
dingtalk.py
fix(dingtalk): requirements check passes with only one credential set
2026-03-17 03:50:45 -07:00
discord.py
fix(gateway): bypass text batching when delay is 0 (#6996)
2026-04-09 23:59:20 -07:00
email.py
fix(email): close SMTP and IMAP connections on failure (#3804)
2026-03-29 15:38:32 -07:00
feishu.py
fix(feishu): add adaptive batch delay for split long messages
2026-04-09 23:25:27 -07:00
homeassistant.py
fix(gateway): add request timeouts to HA, Email, Mattermost, SMS adapters (#3258)
2026-03-26 14:36:07 -07:00
matrix.py
fix(gateway): bypass text batching when delay is 0 (#6996)
2026-04-09 23:59:20 -07:00
mattermost.py
fix(security): consolidated security hardening — SSRF, timing attack, tar traversal, credential leakage (#5944)
2026-04-07 17:28:37 -07:00
signal.py
fix: Signal duplicate replies with streaming + per-platform tool_progress (#6348)
2026-04-08 17:39:45 -07:00
slack.py
fix(slack): add rate-limit retry and TTL cache to thread context fetching
2026-04-09 14:07:32 -07:00
sms.py
fix: store asyncio task references to prevent GC mid-execution (#3267)
2026-03-26 14:36:24 -07:00
telegram_network.py
feat(gateway): unified proxy support for Discord and Telegram with macOS auto-detection
2026-04-09 14:19:06 -07:00
telegram.py
fix(telegram): adaptive batch delay for split long messages
2026-04-09 23:25:27 -07:00
webhook.py
fix(gateway/webhook): don't pop delivery_info on send
2026-04-07 17:27:09 -07:00
wecom.py
fix(gateway): bypass text batching when delay is 0 (#6996)
2026-04-09 23:59:20 -07:00
whatsapp.py
refactor: codebase-wide lint cleanup — unused imports, dead code, and inefficient patterns (#5821)
2026-04-07 10:25:31 -07:00