Skip to content

fix(frontend): pass publishableKey to ClerkProvider#2

Open
schniggie wants to merge 7 commits into
BishopFox:mainfrom
schniggie:main
Open

fix(frontend): pass publishableKey to ClerkProvider#2
schniggie wants to merge 7 commits into
BishopFox:mainfrom
schniggie:main

Conversation

@schniggie
Copy link
Copy Markdown

@schniggie schniggie commented May 30, 2026

Required prop omitted, breaking Docker build via tsc type error.

Closes #1

Card

Details

@schniggie
fix(frontend): pass publishableKey to ClerkProvider
86aa11d 
Required prop omitted, breaking Docker build via tsc type error.

Closes BishopFox#1
@schniggie schniggie requested a review from a team as a code owner May 30, 2026 20:18
schniggie added 6 commits May 31, 2026 00:12
@schniggie
fix(frontend): remove mock data fallbacks across all pages
904cc6d 
Pages were silently showing fake demo data when API returned empty results.
Now show proper empty states and real zeros. AgentDetail shows a proper
"not found" state instead of rendering a random mock endpoint.
@schniggie
fix(auth): use HTTPConnection so dependency works for WebSocket routes
704f83e 
get_current_user used Request type which FastAPI can't inject into WebSocket
handlers. Both Request and WebSocket inherit from HTTPConnection. Also adds
token query param fallback for WebSocket clients that can't set headers.
@schniggie
fix(frontend): pass auth token to WebSocket stream URL
a1bf7e7 
WebSocket connections can't send Authorization headers; token must be
passed as a query param. streamAttackLogs now accepts the token and
appends it as ?token= so the backend global auth dependency validates it.
@schniggie
fix(backend): remove attack router from global auth; guard mcp_client…
675e2b9 
… err=None

WebSocket routes can't send Authorization headers so the global Depends
causes 401. attack.py handles auth per-route (POST has Depends, WS uses
token query param). Also guard mcp_client against err=None from servers
that return {"error": null}.
@schniggie
fix(backend): remove WS token auth; use attack_id/scan_id as capabili…
2b79c45 
…ty token

WebSocket connections can't reliably send auth tokens. The random IDs
issued by authenticated POST endpoints provide sufficient access control
(48-bit entropy, unguessable). Removes dead token-check code from both
attack_stream and scan_progress_ws.
@schniggie
feat(backend): add OpenAI-compat attack engine; fix protocol dispatch
b3c8616 
MCPEngine was used for openai_compat endpoints, which always got 0 findings
because caps=False gates all attack phases. New OpenAIAttackEngine probes:
- GET /v1/models (model enumeration)
- System prompt extraction via chat completions injection
- Jailbreak payload testing
- Sensitive data probes (env vars, credentials, filesystem)

Routes openai_compat, gradio, streamlit, open_webui to the new engine.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AashiqRamachandran-bf AashiqRamachandran-bf Awaiting requested review from AashiqRamachandran-bf AashiqRamachandran-bf is a code owner automatically assigned from BishopFox/bf-ai

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Clerk authentication breaks build when no API key is available

1 participant

@schniggie