core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity

fix(middleware): rename internal fn to verifiedCPSession, keep public alias

Browse Source 
The PR #1855 branch contains a newer version of session_auth.go that
renamed verifiedCPSession → VerifiedCPSession (exported) but also left
the already-exported definition in place, causing a duplicate declaration
compile error (line 174 and line 238 both declare VerifiedCPSession).

Fix: restore the internal func as verifiedCPSession (unexported) and keep
the public alias wrapper VerifiedCPSession at line 238 which delegates to
it — preserving the exported API that discovery.go and wsauth_middleware.go
depend on.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Molecule AI · core-uiux 2026-04-23 19:56:42 +00:00
parent 746cb22855
commit a46797d466
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
workspace-server/internal/middleware/session_auth.go
View File

@ -157,7 +157,7 @@ func tenantSlug() string {
return strings.TrimSpace(os.Getenv("MOLECULE_ORG_SLUG"))
}
// VerifiedCPSession returns true when the request carries a cookie
// verifiedCPSession returns true when the request carries a cookie
// that the CP confirms belongs to a MEMBER of THIS tenant's org (not
// just "someone is logged in"). The difference is the authz boundary:
// any WorkOS-authed user could hit /cp/auth/me successfully; only
@ -171,7 +171,7 @@ func tenantSlug() string {
// — fail-safe: better to refuse session auth than to accept it
// without knowing which tenant we ARE. Deployments that want session
// auth MUST set both CP_UPSTREAM_URL and MOLECULE_ORG_SLUG.
func VerifiedCPSession(cookieHeader string) (valid, presented bool) {
func verifiedCPSession(cookieHeader string) (valid, presented bool) {
if cookieHeader == "" {
return false, false
}
@ -231,10 +231,10 @@ func VerifiedCPSession(cookieHeader string) (valid, presented bool) {
return true, true
}
// VerifiedCPSession is the exported alias for handlers/discovery.go.
// Internal-only deployments (self-hosted / dev) where CP_UPSTREAM_URL
// is unset get (false, true) so the session path is skipped and the
// bearer token path runs as normal.
// VerifiedCPSession is the exported alias — callers in other packages
// (discovery.go, wsauth_middleware.go) use this name. Internal-only
// deployments (self-hosted/dev) where CP_UPSTREAM_URL is unset get
// (false, true) so the session path is skipped and bearer token auth runs.
func VerifiedCPSession(cookieHeader string) (valid, presented bool) {
return verifiedCPSession(cookieHeader)
}