From 370fe6b50181ac7832fc4b6d58257464102d7857 Mon Sep 17 00:00:00 2001
From: Strahil Peykov <strahil.peykov@gmail.com>
Date: Mon, 1 Jun 2026 16:08:01 +0200
Subject: [PATCH] Warn when localhost auth bypass is enabled

---
 app.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app.py b/app.py
index 7fa69b1..1314d58 100644
--- a/app.py
+++ b/app.py
@@ -134,6 +134,8 @@ auth_manager = AuthManager()
 app.state.auth_manager = auth_manager
 AUTH_ENABLED = os.getenv("AUTH_ENABLED", "true").lower() != "false"
 LOCALHOST_BYPASS = os.getenv("LOCALHOST_BYPASS", "false").lower() == "true"
+if LOCALHOST_BYPASS:
+    logger.warning("LOCALHOST_BYPASS is enabled, loopback requests bypass authentication. Do not expose this instance to a network.")
 
 if AUTH_ENABLED:
     AUTH_EXEMPT_EXACT = {