From 2663ae68903bc3aa2cfd38de1bbbd1245cabcc71 Mon Sep 17 00:00:00 2001
From: wuyangji <694410194@qq.com>
Date: Thu, 14 May 2026 02:56:45 +0800
Subject: [PATCH] =?UTF-8?q?fix(app-server):=20=E4=BF=AE=E6=AD=A3=E6=9C=AC?=
 =?UTF-8?q?=E5=9C=B0=E7=9B=91=E5=90=AC=E5=91=8A=E8=AD=A6=E6=96=87=E6=A1=88?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/cortex-app-server/src/lib.rs | 37 ++++++++++++++++++++++++++++++--
 1 file changed, 35 insertions(+), 2 deletions(-)

diff --git a/src/cortex-app-server/src/lib.rs b/src/cortex-app-server/src/lib.rs
index 8e7acdf88..406e0310e 100644
--- a/src/cortex-app-server/src/lib.rs
+++ b/src/cortex-app-server/src/lib.rs
@@ -57,10 +57,12 @@ pub async fn run_with_shutdown<F>(config: ServerConfig, shutdown: F) -> anyhow::
 where
     F: std::future::Future<Output = ()> + Send + 'static,
 {
+    let addr: SocketAddr = config.listen_addr.parse()?;
+
     // Warn if authentication is disabled
     if !config.auth.enabled {
         warn!("Server running without authentication!");
-        warn!("Anyone on the network can access this server.");
+        warn!("{}", unauthenticated_access_warning(addr));
         warn!("Use --auth to enable authentication.");
     }
 
@@ -68,7 +70,6 @@ where
     let state_for_cleanup = Arc::clone(&state);
     let app = create_router_with_state(state);
 
-    let addr: SocketAddr = config.listen_addr.parse()?;
     info!("Starting Cortex server on {}", addr);
 
     // Start mDNS publisher if enabled
@@ -121,6 +122,14 @@ where
     Ok(())
 }
 
+fn unauthenticated_access_warning(addr: SocketAddr) -> &'static str {
+    if addr.ip().is_loopback() {
+        "Only local processes can access this server."
+    } else {
+        "Anyone on the network can access this server."
+    }
+}
+
 /// Create the application router.
 pub fn create_router(state: AppState) -> Router {
     create_router_with_state(Arc::new(state))
@@ -143,3 +152,27 @@ pub fn create_router_with_state(state: Arc<AppState>) -> Router {
         .layer(CorsLayer::permissive())
         .with_state(state)
 }
+
+#[cfg(test)]
+mod tests {
+    use super::unauthenticated_access_warning;
+    use std::net::SocketAddr;
+
+    #[test]
+    fn loopback_bind_uses_local_only_warning() {
+        let addr: SocketAddr = "127.0.0.1:3000".parse().unwrap();
+        assert_eq!(
+            unauthenticated_access_warning(addr),
+            "Only local processes can access this server."
+        );
+    }
+
+    #[test]
+    fn non_loopback_bind_uses_network_warning() {
+        let addr: SocketAddr = "0.0.0.0:3000".parse().unwrap();
+        assert_eq!(
+            unauthenticated_access_warning(addr),
+            "Anyone on the network can access this server."
+        );
+    }
+}