Add ADMIN_TOKEN for admin endpoints and allow token-based auth

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-02 23:28:19 +00:00
parent d20eef76ad
commit 2081092ce8
2 changed files with 16 additions and 2 deletions
--- a/app/routers/runs.py
+++ b/app/routers/runs.py
@@ -895,10 +895,23 @@ async def publish_run(

@router.delete("/admin/purge-failed")
 async def purge_failed_runs(
-    ctx: UserContext = Depends(require_auth),
+    request: Request,
+    ctx: UserContext = Depends(get_current_user),
 ):
-    """Delete all failed runs from pending_runs table."""
+    """Delete all failed runs from pending_runs table.
+
+    Requires authentication OR admin token in X-Admin-Token header.
+    """
    import database
+    import os
+
+    # Check for admin token
+    admin_token = os.environ.get("ADMIN_TOKEN")
+    request_token = request.headers.get("X-Admin-Token")
+
+    # Require either valid auth or admin token
+    if not ctx and (not admin_token or request_token != admin_token):
+        raise HTTPException(401, "Authentication required")

    # Get all failed runs
    failed_runs = await database.list_pending_runs(status="failed")
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -50,6 +50,7 @@ services:
    environment:
      - REDIS_URL=redis://redis:6379/5
      - DATABASE_URL=postgresql://artdag:artdag@postgres:5432/artdag
+      - ADMIN_TOKEN=artdag-admin-purge-token-2026
      # IPFS_API multiaddr - used for all IPFS operations (add, cat, pin)
      - IPFS_API=/dns/ipfs/tcp/5001
      - CACHE_DIR=/data/cache