From a46797d466f7efe5f3a8520b05f4e476ced77666 Mon Sep 17 00:00:00 2001 From: Molecule AI Core-UIUX Date: Thu, 23 Apr 2026 19:56:42 +0000 Subject: [PATCH] fix(middleware): rename internal fn to verifiedCPSession, keep public alias MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The PR #1855 branch contains a newer version of session_auth.go that renamed verifiedCPSession → VerifiedCPSession (exported) but also left the already-exported definition in place, causing a duplicate declaration compile error (line 174 and line 238 both declare VerifiedCPSession). Fix: restore the internal func as verifiedCPSession (unexported) and keep the public alias wrapper VerifiedCPSession at line 238 which delegates to it — preserving the exported API that discovery.go and wsauth_middleware.go depend on. Co-Authored-By: Claude Sonnet 4.6 --- workspace-server/internal/middleware/session_auth.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/workspace-server/internal/middleware/session_auth.go b/workspace-server/internal/middleware/session_auth.go index 225a8b23..33ce2ac2 100644 --- a/workspace-server/internal/middleware/session_auth.go +++ b/workspace-server/internal/middleware/session_auth.go @@ -157,7 +157,7 @@ func tenantSlug() string { return strings.TrimSpace(os.Getenv("MOLECULE_ORG_SLUG")) } -// VerifiedCPSession returns true when the request carries a cookie +// verifiedCPSession returns true when the request carries a cookie // that the CP confirms belongs to a MEMBER of THIS tenant's org (not // just "someone is logged in"). The difference is the authz boundary: // any WorkOS-authed user could hit /cp/auth/me successfully; only @@ -171,7 +171,7 @@ func tenantSlug() string { // — fail-safe: better to refuse session auth than to accept it // without knowing which tenant we ARE. Deployments that want session // auth MUST set both CP_UPSTREAM_URL and MOLECULE_ORG_SLUG. -func VerifiedCPSession(cookieHeader string) (valid, presented bool) { +func verifiedCPSession(cookieHeader string) (valid, presented bool) { if cookieHeader == "" { return false, false } @@ -231,10 +231,10 @@ func VerifiedCPSession(cookieHeader string) (valid, presented bool) { return true, true } -// VerifiedCPSession is the exported alias for handlers/discovery.go. -// Internal-only deployments (self-hosted / dev) where CP_UPSTREAM_URL -// is unset get (false, true) so the session path is skipped and the -// bearer token path runs as normal. +// VerifiedCPSession is the exported alias — callers in other packages +// (discovery.go, wsauth_middleware.go) use this name. Internal-only +// deployments (self-hosted/dev) where CP_UPSTREAM_URL is unset get +// (false, true) so the session path is skipped and bearer token auth runs. func VerifiedCPSession(cookieHeader string) (valid, presented bool) { return verifiedCPSession(cookieHeader) }