From 61f8647f374ed38003e5b34d213487c34b113d61 Mon Sep 17 00:00:00 2001 From: QuantumGhost Date: Thu, 22 Jan 2026 22:33:59 +0800 Subject: [PATCH] docs(api): mark SystemFeatureApi as unauthenticated by design (#31417) The `/console/api/system-features` is required for the dashboard initialization. Authentication would create circular dependency (can't login without dashboard loading). ref: CVE-2025-63387 Related: #31368 --- api/controllers/console/feature.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/api/controllers/console/feature.py b/api/controllers/console/feature.py index 6951c906e9..d171c189ea 100644 --- a/api/controllers/console/feature.py +++ b/api/controllers/console/feature.py @@ -39,5 +39,13 @@ class SystemFeatureApi(Resource): ), ) def get(self): - """Get system-wide feature configuration""" + """Get system-wide feature configuration + + NOTE: This endpoint is unauthenticated by design, as it provides system features + data required for dashboard initialization. + + Authentication would create circular dependency (can't login without dashboard loading). + + Only non-sensitive configuration data should be returned by this endpoint. + """ return FeatureService.get_system_features().model_dump()