docs(api): mark SystemFeatureApi as unauthenticated by design (#31417)

The `/console/api/system-features` is required for the dashboard initialization. Authentication would create circular dependency (can't login without dashboard loading). ref: CVE-2025-63387 Related: #31368
2026-03-21 02:20:08 +08:00 · 2026-01-22 22:33:59 +08:00 · 2026-01-22 22:33:59 +08:00 · 61f8647f37
commit 61f8647f37
parent 356a156f36
1 changed files with 9 additions and 1 deletions
--- a/api/controllers/console/feature.py
+++ b/api/controllers/console/feature.py
@ -39,5 +39,13 @@ class SystemFeatureApi(Resource):
        ),
    )
    def get(self):
-        """Get system-wide feature configuration"""
+        """Get system-wide feature configuration
+
+        NOTE: This endpoint is unauthenticated by design, as it provides system features
+        data required for dashboard initialization.
+
+        Authentication would create circular dependency (can't login without dashboard loading).
+
+        Only non-sensitive configuration data should be returned by this endpoint.
+        """
        return FeatureService.get_system_features().model_dump()