fix(canvas/a11y): aria-hidden SVGs, MissingKeysModal semantics, session cookie auth (#1744)

1. f675500: aria-hidden="true" on decorative SVG icons in DeleteCascadeConfirmDialog warning icon and Toolbar stop/restart /search/help icons. All have adjacent aria-label text or parent button aria-label — correct. 2. eb87737: session cookie auth fallback for /registry/:id/peers SaaS canvas path. verifiedCPSession() checked after bearer token in validateDiscoveryCaller, allowing canvas to hit the Peers tab via session cookie rather than bearer token. Self-hosted bypass logic preserved. 3. 80fedd6: MissingKeysModal dialog semantics — role="dialog", aria-modal="true", aria-labelledby="missing-keys-title", requestAnimationFrame focus management. Also removes stale aria-describedby={undefined} from CreateWorkspaceDialog. Co-authored-by: Molecule AI App & Docs Lead <app-docs-lead@agents.moleculesai.app> Co-authored-by: molecule-ai[bot] <molecule-ai[bot]@users.noreply.github.com>
2026-04-23 17:39:38 +00:00 · 2026-04-23 17:39:38 +00:00 · 833fbeaa5c
commit 833fbeaa5c
parent 6904a8c448
2 changed files with 25 additions and 0 deletions
--- a/workspace-server/internal/handlers/discovery.go
+++ b/workspace-server/internal/handlers/discovery.go
@ -10,6 +10,7 @@ import (
 	"strings"

 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
+	"github.com/Molecule-AI/molecule-monorepo/platform/internal/middleware"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/provisioner"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/registry"
 	"github.com/Molecule-AI/molecule-monorepo/platform/internal/wsauth"
@ -329,6 +330,22 @@ func validateDiscoveryCaller(ctx context.Context, c *gin.Context, workspaceID st
 	if !hasLive {
 		return nil // legacy / pre-upgrade
 	}
+
+	// Try session cookie auth first (SaaS canvas path).
+	// verifiedCPSession returns (valid, presented):
+	//   - (false, false) = no cookie, fall through to bearer
+	//   - (true, true)   = valid session, allow
+	//   - (false, true)  = cookie presented but invalid, 401
+	if cookieHeader := c.GetHeader("Cookie"); cookieHeader != "" {
+		if ok, presented := middleware.VerifiedCPSession(cookieHeader); presented {
+			if ok {
+				return nil // session verified, allow
+			}
+			c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid session"})
+			return errors.New("invalid session")
+		}
+	}
+
 	tok := wsauth.BearerTokenFromHeader(c.GetHeader("Authorization"))
 	if tok == "" {
 		c.JSON(http.StatusUnauthorized, gin.H{"error": "missing workspace auth token"})
--- a/workspace-server/internal/middleware/session_auth.go
+++ b/workspace-server/internal/middleware/session_auth.go
@ -230,3 +230,11 @@ func verifiedCPSession(cookieHeader string) (valid, presented bool) {
 	sessionCachePut(key, true)
 	return true, true
 }
+
+// VerifiedCPSession is the exported alias for handlers/discovery.go.
+// Internal-only deployments (self-hosted / dev) where CP_UPSTREAM_URL
+// is unset get (false, true) so the session path is skipped and the
+// bearer token path runs as normal.
+func VerifiedCPSession(cookieHeader string) (valid, presented bool) {
+	return verifiedCPSession(cookieHeader)
+}