Add webhook endpoint authentication bypass and admin context unfiltered data access (#12956)

Co-authored-by: openhands <openhands@all-hands.dev>
2026-03-22 13:47:19 +08:00 · 2026-02-23 09:28:49 +00:00
parent 872f2b87f2
commit ddb809bc43
6 changed files with 617 additions and 3 deletions
--- a/enterprise/server/middleware.py
+++ b/enterprise/server/middleware.py
@@ -164,7 +164,6 @@ class SetAuthCookieMiddleware:
            '/oauth/device/authorize',
            '/oauth/device/token',
            '/api/v1/web-client/config',
-            '/api/v1/webhooks/secrets',
        )
        if path in ignore_paths:
            return False
@@ -175,6 +174,10 @@ class SetAuthCookieMiddleware:
        ):
            return False

+        # Webhooks access is controlled using separate API keys
+        if path.startswith('/api/v1/webhooks/'):
+            return False
+
        is_mcp = path.startswith('/mcp')
        is_api_route = path.startswith('/api')
        return is_api_route or is_mcp