Merge pull request #490 from Molecule-AI/fix/workspace-auth-same-origin

fix(auth): WorkspaceAuth same-origin canvas on tenant
2026-04-16 10:17:12 -07:00 · 2026-04-16 10:17:12 -07:00 · 5d4ee18c72
commit 5d4ee18c72
parent 6ea559079e 807b4c1b45
1 changed files with 11 additions and 5 deletions
--- a/platform/internal/middleware/wsauth_middleware.go
+++ b/platform/internal/middleware/wsauth_middleware.go
@ -43,15 +43,21 @@ func WorkspaceAuth(database *sql.DB) gin.HandlerFunc {
 		ctx := c.Request.Context()

 		tok := wsauth.BearerTokenFromHeader(c.GetHeader("Authorization"))
-		if tok == "" {
-			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "missing workspace auth token"})
+		if tok != "" {
+			if err := wsauth.ValidateToken(ctx, database, workspaceID, tok); err != nil {
+				c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid workspace auth token"})
+				return
+			}
+			c.Next()
 			return
 		}
-		if err := wsauth.ValidateToken(ctx, database, workspaceID, tok); err != nil {
-			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid workspace auth token"})
+		// Same-origin canvas on tenant image — Referer matches Host.
+		if isSameOriginCanvas(c) {
+			c.Next()
 			return
 		}
-		c.Next()
+		c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "missing workspace auth token"})
+		return
 	}
 }