"""Central deny-by-default policy for sensitive HTTP surfaces.""" from __future__ import annotations POLICY = "ewoooc_sensitive_http_access_policy_v1" # Entire blueprints that expose business data or operator actions. SESSION_REQUIRED_BLUEPRINTS = frozenset({ "auto_import", "category", "cicd", "crawler", "crawler_management", "vendor", }) # Mixed public/private blueprints use endpoint-level protection. SESSION_REQUIRED_ENDPOINTS = frozenset({ "alert.alert_status", "alert.test_alert", "code_review.api_history", "code_review.api_status", "code_review.dashboard", "misc.test_url", "openclaw_bot.set_webhook", "openclaw_bot.webhook_info", "sales.abc_analysis_detail", "system_public.get_logs_api", "system_public.settings", "system_public.show_logs", "system_public.system_settings_page", }) # Every anonymous GET must be intentional and small enough for public exposure. INTENTIONALLY_PUBLIC_ENDPOINTS = frozenset({ "bot_api.bot_api_status", "elephant_alpha.status", "misc.brand_assets", "system_public.favicon", "system_public.health_check", "system_public.prometheus_metrics", "system_public.webcrumbs_asset_proxy", "user_bp.get_password_reqs", }) def is_session_required(endpoint: str | None, blueprint: str | None) -> bool: return bool( blueprint in SESSION_REQUIRED_BLUEPRINTS or endpoint in SESSION_REQUIRED_ENDPOINTS ) def enforce_http_access_policy(): """Protect sensitive routes before their route function executes.""" from flask import request if not is_session_required(request.endpoint, request.blueprint): return None from auth import require_authenticated_request return require_authenticated_request() __all__ = [ "POLICY", "SESSION_REQUIRED_BLUEPRINTS", "SESSION_REQUIRED_ENDPOINTS", "INTENTIONALLY_PUBLIC_ENDPOINTS", "enforce_http_access_policy", "is_session_required", ]