Skip to content

Remove tokens from history items#8889

Merged
comfyanonymous merged 1 commit intoComfy-Org:masterfrom
christian-byrne:remove-auth-tokens-from-history
Jul 13, 2025
Merged

Remove tokens from history items#8889
comfyanonymous merged 1 commit intoComfy-Org:masterfrom
christian-byrne:remove-auth-tokens-from-history

Conversation

@christian-byrne
Copy link
Copy Markdown
Contributor

@christian-byrne christian-byrne commented Jul 12, 2025

Remove auth_token_comfy_org and api_key_comfy_org from extra_data before storing prompt history, in case history items are ever persisted to disk in the future and to protect users with open network.

@christian-byrne
Remove auth tokens from history storage
94a2835 
Remove auth_token_comfy_org and api_key_comfy_org from extra_data before
storing prompt history to prevent sensitive authentication tokens from
being persisted in the history endpoint response.
@christian-byrne
Copy link
Copy Markdown
Contributor Author

christian-byrne commented Jul 12, 2025

Test Process:

  1. Ran api node workflow with firebase login
  2. Ran api node workflow with API key login
  3. Refreshed page and ensured login persisted
  4. Switch between stability AI and bfl api nodes and ensured still worked
  5. For all of the above, checked history response objects and ensured fields were correctly removed
remove-auth-token-from-history.mp4

@comfyanonymous comfyanonymous merged commit 480375f into Comfy-Org:master Jul 13, 2025
6 checks passed
Vander-Bilt pushed a commit to Vander-Bilt/ComfyUI that referenced this pull request Aug 26, 2025
@christian-byrne
Remove auth tokens from history storage (Comfy-Org#8889)
365eb26 
Remove auth_token_comfy_org and api_key_comfy_org from extra_data before
storing prompt history to prevent sensitive authentication tokens from
being persisted in the history endpoint response.
toxicwind pushed a commit to toxicwind/ComfyUI that referenced this pull request Oct 12, 2025
@christian-byrne
Remove auth tokens from history storage (Comfy-Org#8889)
e197513 
Remove auth_token_comfy_org and api_key_comfy_org from extra_data before
storing prompt history to prevent sensitive authentication tokens from
being persisted in the history endpoint response.
adlerfaulkner pushed a commit to LucaLabsInc/ComfyUI that referenced this pull request Oct 16, 2025
@christian-byrne @adlerfaulkner
Remove auth tokens from history storage (Comfy-Org#8889)
4a78626 
Remove auth_token_comfy_org and api_key_comfy_org from extra_data before
storing prompt history to prevent sensitive authentication tokens from
being persisted in the history endpoint response.
zhaog100 added a commit to zhaog100/ComfyUI that referenced this pull request Mar 21, 2026
@zhaog100
fix: remove sensitive tokens from history items
87b7f4f 
Sanitize history items returned by get_history() to strip
auth_token_comfy_org and api_key_comfy_org from prompt inputs.
This prevents tokens from being exposed if history is ever
persisted to disk or accessed over open networks.

Closes Comfy-Org#8889
@zhaog100 zhaog100 mentioned this pull request Mar 21, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@comfyanonymous comfyanonymous Awaiting requested review from comfyanonymous comfyanonymous is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@christian-byrne @comfyanonymous