From 0745aefdb95d5a1095a7e2b90463c8f16ad359c5 Mon Sep 17 00:00:00 2001
From: Erik <erik.nihlen@gmail.com>
Date: Sat, 25 Apr 2026 20:47:47 +0200
Subject: [PATCH] fix(auth): trust internal Docker/loopback connections in
 AuthMiddleware
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Same pattern we already use for /ws/live (host-side Discord bot bypass).
Lets the new overlord-agent service call any tracker HTTP endpoint
without forging a session cookie. Safe because port 8765 is bound to
127.0.0.1 in docker-compose.yml — only the host or other compose-network
containers can reach it.
---
 main.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/main.py b/main.py
index 8f689f07..782ca955 100644
--- a/main.py
+++ b/main.py
@@ -1046,6 +1046,15 @@ class AuthMiddleware(BaseHTTPMiddleware):
         if path.startswith("/ws/live"):
             return await call_next(request)
 
+        # Trust internal connections (Docker network gateway + loopback). The
+        # tracker port (8765) is bound to 127.0.0.1 in docker-compose.yml and
+        # only the host or other compose-network containers can reach it.
+        # This lets host-side helpers (overlord-agent, discord-rare-monitor,
+        # etc.) call any endpoint without forging a session cookie.
+        client_host = request.client.host if request.client else ""
+        if client_host.startswith("172.") or client_host in ("127.0.0.1", "::1", "localhost"):
+            return await call_next(request)
+
         # Check session cookie
         token = request.cookies.get("session")
         if token: