From 0de67ad604c88eb73526e4e15b6bd534a03678a9 Mon Sep 17 00:00:00 2001 From: ygd58 Date: Wed, 17 Jun 2026 11:13:31 +0200 Subject: [PATCH] fix(gateway): validate user authorization before auto-resume Auto-resume of restart-interrupted sessions bypassed auth checks. The session owner was never validated against TELEGRAM_ALLOWED_USERS (or equivalent) before the synthetic resume event was dispatched. An attacker with an active session before the allowlist was configured could receive a full agent response on gateway restart (issue #23778). Clean rebase of #23800 onto current main (egilewski flagged a merge conflict in gateway/run.py on the old branch). Fix: check _is_user_authorized() for the session owner before scheduling auto-resume. Unauthorized sessions are skipped with a warning log instead of silently resuming. Fixes #23778 (partial - auto-resume auth bypass) --- gateway/run.py | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/gateway/run.py b/gateway/run.py index 06e1e411e..8eb484c8a 100644 --- a/gateway/run.py +++ b/gateway/run.py @@ -6068,6 +6068,27 @@ class GatewayRunner(GatewayAuthorizationMixin, GatewayKanbanWatchersMixin, Gatew ) continue + # Validate the session owner against the current allowlist + # before auto-resuming. A session created before + # TELEGRAM_ALLOWED_USERS (or equivalent) was configured, or + # before the owner was removed from it, must not silently + # receive a full agent response on gateway restart just + # because it has a resume-pending marker (issue #23778). + try: + if not self._is_user_authorized(source): + logger.warning( + "Skipping auto-resume for %s: session owner is no " + "longer authorized under the current allowlist", + entry.session_key, + ) + continue + except Exception as exc: + logger.warning( + "Skipping auto-resume for %s: authorization check failed: %s", + entry.session_key, exc, + ) + continue + # Claim the session slot *before* spawning the task so that an # inbound message arriving between task creation and the task's # first await (where _process_message_background sets the real