fix(middleware): TenantGuard passes through /cp/* to CP proxy

Today's rollout of cp_proxy (PR #1095/1096) mounted /cp/* as a reverse-proxy to the control plane, but the TenantGuard middleware runs first in the global chain and 404s anything that isn't in its exact-path allowlist (/health + /metrics). Every /cp/auth/me fetch from canvas landed on a 40µs 404 before ever reaching the proxy. /cp/* is handled upstream (WorkOS session + admin bearer), so the tenant doesn't need to attach org identity for those paths. Passing them through is correct — matches the design where the tenant platform is a pure transit layer for /cp/*. Verified: /cp/auth/me via tunnel now returns 401 (correct unauth from CP) instead of 404 from TenantGuard. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-20 13:14:56 -07:00 · 2026-04-20 13:14:56 -07:00 · 488fde03a7
commit 488fde03a7
parent e2ec12292b
1 changed files with 9 additions and 0 deletions
--- a/workspace-server/internal/middleware/tenant_guard.go
+++ b/workspace-server/internal/middleware/tenant_guard.go
@ -67,6 +67,15 @@ func TenantGuardWithOrgID(configuredOrgID string) gin.HandlerFunc {
 			c.Next()
 			return
 		}
+		// /cp/* is reverse-proxied to the control plane. The CP has its
+		// own auth (WorkOS session cookie + admin bearer) so the tenant
+		// doesn't need to attach org identity here. Bypassing the guard
+		// avoids blocking the proxy with a 404 that would then look
+		// like the CP is down.
+		if strings.HasPrefix(c.Request.URL.Path, "/cp/") {
+			c.Next()
+			return
+		}
 		// Primary: explicit X-Molecule-Org-Id header (direct access path,
 		// e.g. from molecli or internal tooling that sets it directly).
 		if c.GetHeader(tenantOrgIDHeader) == configuredOrgID {