python · backpropagateCritical
backpropagate: --auth flag does not enforce authentication (fixed in v1.2.0)
In backpropagate >= 1.1.0, the --auth flag claims to require HTTP Basic authentication, but the Reflex backend never reads the BACKPROPAGATE_UI_AUTH environment
What changed
In backpropagate >= 1.1.0, the --auth flag claims to require HTTP Basic authentication, but the Reflex backend never reads the BACKPROPAGATE_UI_AUTH environment variable, leaving the UI completely unauthenticated. Fixed in v1.2.0 with real ASGI middleware.
Who it affects
All users of backpropagate >= 1.1.0 who use the Reflex web UI, especially those who pass --auth or --share flags.
What to do today
Upgrade to v1.2.0 immediately via pip install --upgrade backpropagate or npm install -g @mcptoolshop/backpropagate@latest. If unable to upgrade, do not use --auth or --share; use SSH port-forwarding instead.
The trail
Collected→
Audited→
Written→
Published