core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity

Merge remote-tracking branch 'origin/staging' into feat/merge-queue-trigger

Browse Source
This commit is contained in:
rabbitblood 2026-04-23 21:34:16 -07:00
commit 01de3ef6d2
2 changed files with 4 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
workspace-server/internal/handlers/discovery.go
View File

@ -361,11 +361,9 @@ func validateDiscoveryCaller(ctx context.Context, c *gin.Context, workspaceID st
// Add verifiedCPSession() as a fallback after the bearer check so
// SaaS canvas Peers tab doesn't 401. Self-hosted workspaces are
// unaffected — they have no CP session cookie.
ok, presented := middleware.VerifiedCPSession(c.GetHeader("Cookie"))
if ok {
if ok2, presented2 := middleware.VerifiedCPSession(c.GetHeader("Cookie")); ok2 {
return nil
}
if presented {
} else if presented2 {
c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid session"})
return errors.New("invalid session")
}

12
workspace-server/internal/middleware/session_auth.go
View File

@ -157,7 +157,7 @@ func tenantSlug() string {
return strings.TrimSpace(os.Getenv("MOLECULE_ORG_SLUG"))
}
// verifiedCPSession returns true when the request carries a cookie
// VerifiedCPSession returns true when the request carries a cookie
// that the CP confirms belongs to a MEMBER of THIS tenant's org (not
// just "someone is logged in"). The difference is the authz boundary:
// any WorkOS-authed user could hit /cp/auth/me successfully; only
@ -171,7 +171,7 @@ func tenantSlug() string {
// — fail-safe: better to refuse session auth than to accept it
// without knowing which tenant we ARE. Deployments that want session
// auth MUST set both CP_UPSTREAM_URL and MOLECULE_ORG_SLUG.
func verifiedCPSession(cookieHeader string) (valid, presented bool) {
func VerifiedCPSession(cookieHeader string) (valid, presented bool) {
if cookieHeader == "" {
return false, false
}
@ -230,11 +230,3 @@ func verifiedCPSession(cookieHeader string) (valid, presented bool) {
sessionCachePut(key, true)
return true, true
}
// VerifiedCPSession is the exported alias — callers in other packages
// (discovery.go, wsauth_middleware.go) use this name. Internal-only
// deployments (self-hosted/dev) where CP_UPSTREAM_URL is unset get
// (false, true) so the session path is skipped and bearer token auth runs.
func VerifiedCPSession(cookieHeader string) (valid, presented bool) {
return verifiedCPSession(cookieHeader)
}