Skip to content

fix(security): require internal API key for copilot training endpoints#4311

Merged
waleedlatif1 merged 1 commit intostagingfrom
waleedlatif1/fix-copilot-training-auth
Apr 27, 2026
Merged

fix(security): require internal API key for copilot training endpoints#4311
waleedlatif1 merged 1 commit intostagingfrom
waleedlatif1/fix-copilot-training-auth

Conversation

@waleedlatif1
Copy link
Copy Markdown
Collaborator

@waleedlatif1 waleedlatif1 commented Apr 27, 2026

Summary

  • /api/copilot/training and /api/copilot/training/examples previously accepted any authenticated session, letting any user inject arbitrary data into the global agent indexer
  • Both routes now require INTERNAL_API_SECRET via the x-api-key header (existing checkInternalApiKey helper) — no in-app callers exist, these are internal-only endpoints

Type of Change

  • Bug fix

Testing

Tested manually; typecheck clean

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 27, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Apr 27, 2026 9:17pm

Request Review

@cursor
Copy link
Copy Markdown

cursor Bot commented Apr 27, 2026
edited
Loading

PR Summary

Medium Risk
Tightens authentication for internal training ingestion endpoints; risk is moderate because it changes request authorization behavior and could break any existing callers that relied on session auth.

Overview
Prevents regular authenticated users from posting to Copilot training ingestion endpoints by switching /api/copilot/training and /api/copilot/training/examples from session-based auth to checkInternalApiKey (x-api-key / INTERNAL_API_SECRET).

Unauthorized requests now consistently return 401 via createUnauthorizedResponse, reducing the chance of untrusted data being forwarded to the agent indexer.

Reviewed by Cursor Bugbot for commit ff4a008. Configure here.

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented Apr 27, 2026

Greptile Summary

This PR hardens two internal-only copilot training endpoints (/api/copilot/training and /api/copilot/training/examples) by replacing session-based auth with checkInternalApiKey, which validates the x-api-key header against INTERNAL_API_SECRET using a constant-time comparison. The existing helper is reused correctly and the routes remain consistent with the rest of the internal API surface.

Confidence Score: 5/5

Safe to merge — minimal, targeted security hardening with no regressions.

Both routes now use the existing checkInternalApiKey helper which applies constant-time comparison and fails closed when the env var is absent. No in-app callers exist, the change is isolated, and no P1/P0 issues were found.

No files require special attention.

Important Files Changed

Filename Overview
apps/sim/app/api/copilot/training/route.ts Replaces session-only auth with checkInternalApiKey; logic is straightforward and correctly fails closed when INTERNAL_API_SECRET is unset.
apps/sim/app/api/copilot/training/examples/route.ts Same auth swap as sibling route; uses constant-time safeCompare via checkInternalApiKey, no issues found.

Reviews (1): Last reviewed commit: "fix(security): require internal API key ..." | Re-trigger Greptile

@waleedlatif1 waleedlatif1 merged commit 896a00a into staging Apr 27, 2026
14 checks passed
@waleedlatif1 waleedlatif1 deleted the waleedlatif1/fix-copilot-training-auth branch April 27, 2026 21:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@waleedlatif1