Skip to content

Allow internal endpoints from remote addresses; warn on unsecured non-loopback bind#2100

Draft
jeremyfowers wants to merge 1 commit into
mainfrom
claude/internal-endpoints-remote-access
Draft

Allow internal endpoints from remote addresses; warn on unsecured non-loopback bind#2100
jeremyfowers wants to merge 1 commit into
mainfrom
claude/internal-endpoints-remote-access

Conversation

@jeremyfowers
Copy link
Copy Markdown
Member

@jeremyfowers jeremyfowers commented Jun 4, 2026
edited
Loading

Summary

/internal/* endpoints returned 403 for any non-localhost request, breaking the many-clients-one-server topology (a desktop app/CLI on another machine can't manage a shared lemond) and blocking remote clients from /internal/cloud/discover in #1785.

This lifts the loopback restriction and relies on the existing admin-key gating (LEMONADE_ADMIN_API_KEY, which defaults to LEMONADE_API_KEY). Since an unsecured non-loopback bind now exposes the control endpoints to the network, lemond logs a startup warning (re-checked on host rebind) when bound to a non-loopback host with no key set:

[Warn] (Server) Serving on non-loopback host '0.0.0.0' without an API key. All endpoints, including the /internal/* control endpoints, are reachable from other machines unauthenticated. Set LEMONADE_API_KEY or LEMONADE_ADMIN_API_KEY to secure this server.

Docs updated to match.

Testing

Verified manually on a 0.0.0.0 bind via the machine's LAN IP (non-loopback remote_addr):

  • No keys: GET /internal/config → 200 (was 403); startup warning logged
  • Admin key set: no/wrong key → 401, correct key → 200; no warning

Existing test/server_env_vars.py admin-key tests are unaffected. No automated test for the remote-address path — it needs a routable interface, which is flaky in CI.

🤖 Generated with Claude Code

@jeremyfowers @claude
Allow internal endpoints from remote addresses; warn on unsecured non…
ab21a23 
…-loopback bind

The /internal/* endpoints (shutdown, set, config, cleanup-cache) were
hard-restricted to loopback, which breaks the many-clients-one-server
topology: a desktop app, tray, or CLI on another machine could not manage
a shared lemond. This also blocks remote clients from the upcoming
client-driven cloud discovery endpoint (#1785).

Lift the loopback restriction and rely on the existing admin-key gating
(LEMONADE_ADMIN_API_KEY, which defaults to LEMONADE_API_KEY) for access
control. Since an unsecured non-loopback bind now exposes the control
endpoints to the network, lemond logs a startup warning (and again on
host rebind via /internal/set) when bound to a non-loopback host with no
API key set, advising the operator to set one. Docs updated to match.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jeremyfowers jeremyfowers mentioned this pull request Jun 5, 2026
Open
@jeremyfowers jeremyfowers added this to the Lemonade v10.7 milestone Jun 5, 2026
@github-actions github-actions Bot added area::api HTTP REST API surface and route handlers enhancement New feature or request labels Jun 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area::api HTTP REST API surface and route handlers enhancement New feature or request

Projects

None yet

Milestone

Lemonade v10.7

Development

Successfully merging this pull request may close these issues.

1 participant

@jeremyfowers