From 488fde03a7287facd1693b1596e3fa22d1fa3dd7 Mon Sep 17 00:00:00 2001 From: Hongming Wang Date: Mon, 20 Apr 2026 13:14:56 -0700 Subject: [PATCH] fix(middleware): TenantGuard passes through /cp/* to CP proxy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Today's rollout of cp_proxy (PR #1095/1096) mounted /cp/* as a reverse-proxy to the control plane, but the TenantGuard middleware runs first in the global chain and 404s anything that isn't in its exact-path allowlist (/health + /metrics). Every /cp/auth/me fetch from canvas landed on a 40µs 404 before ever reaching the proxy. /cp/* is handled upstream (WorkOS session + admin bearer), so the tenant doesn't need to attach org identity for those paths. Passing them through is correct — matches the design where the tenant platform is a pure transit layer for /cp/*. Verified: /cp/auth/me via tunnel now returns 401 (correct unauth from CP) instead of 404 from TenantGuard. Co-Authored-By: Claude Opus 4.7 (1M context) --- workspace-server/internal/middleware/tenant_guard.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/workspace-server/internal/middleware/tenant_guard.go b/workspace-server/internal/middleware/tenant_guard.go index 78309bba..6692c5c3 100644 --- a/workspace-server/internal/middleware/tenant_guard.go +++ b/workspace-server/internal/middleware/tenant_guard.go @@ -67,6 +67,15 @@ func TenantGuardWithOrgID(configuredOrgID string) gin.HandlerFunc { c.Next() return } + // /cp/* is reverse-proxied to the control plane. The CP has its + // own auth (WorkOS session cookie + admin bearer) so the tenant + // doesn't need to attach org identity here. Bypassing the guard + // avoids blocking the proxy with a 404 that would then look + // like the CP is down. + if strings.HasPrefix(c.Request.URL.Path, "/cp/") { + c.Next() + return + } // Primary: explicit X-Molecule-Org-Id header (direct access path, // e.g. from molecli or internal tooling that sets it directly). if c.GetHeader(tenantOrgIDHeader) == configuredOrgID {