Skills
skills/bmsuisse/skills/fastapi-azure-auth/Gen Agent Trust Hub

fastapi-azure-auth

Pass

Audited by Gen Agent Trust Hub on Apr 21, 2026

Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: Potential SQL Injection surface detected in the database role lookup logic.
  • Evidence: In app/utils/auth.py, the get_user_role function uses string interpolation within a SQL query template: SELECT role FROM dim.user_roles WHERE email = {email}.
  • Context: While the sql(t"...") syntax implies a helper that may handle parameterization, the email variable can be directly influenced by the X-Test-User request header when TEST_MODE is enabled.
  • [CREDENTIALS_UNSAFE]: Use of an insecure default fallback for the session secret key.
  • Evidence: In app/auth/setup.py, the SessionMiddleware is initialized with a hardcoded fallback: secret_key=os.getenv("API_COOKIE_SECRET", "change-me-in-production").
  • [EXTERNAL_DOWNLOADS]: The skill facilitates authentication by connecting to Microsoft's well-known identity service.
  • Evidence: The MSAL application is configured to communicate with https://login.microsoftonline.com/ for OAuth2 flows.
  • [COMMAND_EXECUTION]: Authentication bypass mechanisms for development and testing environments.
  • Evidence: The get_user_email function in app/utils/auth.py contains logic to return a hardcoded email when DEV_MODE is active or a header-supplied email when TEST_MODE is active, effectively skipping the Entra ID verification.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 21, 2026, 10:27 AM
Security Audit — agent-trust-hub — fastapi-azure-auth