From 1058f2418b57c0bb9684d36c7c429506c46f105f Mon Sep 17 00:00:00 2001
From: alpha nerd <alpha-nerd@nomyo.ai>
Date: Fri, 10 Apr 2026 17:40:44 +0200
Subject: [PATCH] fix: security, exempt files to prevent path traversal

---
 router.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/router.py b/router.py
index e780a56..395394e 100644
--- a/router.py
+++ b/router.py
@@ -373,7 +373,11 @@ async def enforce_router_api_key(request: Request, call_next):
         return await call_next(request)
 
     path = request.url.path
-    if path.startswith("/static") or path in {"/", "/favicon.ico"}:
+    # Allow static assets (CSS, JS, images, fonts) but NOT HTML pages,
+    # which would bypass auth by accessing /static/index.html directly.
+    _STATIC_ASSET_EXTS = {".css", ".js", ".ico", ".png", ".jpg", ".jpeg", ".svg", ".woff", ".woff2", ".ttf", ".map"}
+    is_static_asset = path.startswith("/static") and Path(path).suffix.lower() in _STATIC_ASSET_EXTS
+    if is_static_asset or path in {"/", "/favicon.ico"}:
         return await call_next(request)
 
     provided_key = _extract_router_api_key(request)