From 2e5c591f9d0f82e10615a55398a652ebf7559253 Mon Sep 17 00:00:00 2001 From: FailSafe Researcher Date: Tue, 9 Jun 2026 20:22:38 -0700 Subject: [PATCH] fix: add API key auth gate on all mutating routes via before_request Signed-off-by: FailSafe Researcher --- python_a2a/server/a2a_server.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/python_a2a/server/a2a_server.py b/python_a2a/server/a2a_server.py index 5bf772b..898cfbd 100644 --- a/python_a2a/server/a2a_server.py +++ b/python_a2a/server/a2a_server.py @@ -1,3 +1,4 @@ +import os """ Enhanced A2A server with protocol support. """ @@ -342,6 +343,21 @@ def handle_task(self, task): def setup_routes(self, app): """Setup Flask routes for A2A endpoints""" # Root endpoint for both GET and POST + @app.before_request + def check_auth(): + """Require API key on all mutating routes.""" + api_key = os.environ.get("A2A_API_KEY", "") + if not api_key: + return # No key configured = open access (dev mode) + if request.method in ("POST", "PUT", "DELETE", "PATCH"): + auth_header = request.headers.get("Authorization", "") + if auth_header.startswith("Bearer "): + token = auth_header[7:] + else: + token = auth_header + if token != api_key: + return jsonify({"error": "Unauthorized"}), 401 + @app.route("/", methods=["GET"]) def a2a_root_get(): """Root endpoint for A2A (GET), redirects to agent card"""