core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity

Merge pull request #1097 from Molecule-AI/fix/tenant-guard-allow-cp-proxy

Browse Source 
fix: TenantGuard passes through /cp/* to CP proxy
This commit is contained in:
Hongming Wang 2026-04-20 13:15:02 -07:00 committed by GitHub
commit fb6df5bb36
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
workspace-server/internal/middleware/tenant_guard.go
View File

@ -67,6 +67,15 @@ func TenantGuardWithOrgID(configuredOrgID string) gin.HandlerFunc {
c.Next()
return
}
// /cp/* is reverse-proxied to the control plane. The CP has its
// own auth (WorkOS session cookie + admin bearer) so the tenant
// doesn't need to attach org identity here. Bypassing the guard
// avoids blocking the proxy with a 404 that would then look
// like the CP is down.
if strings.HasPrefix(c.Request.URL.Path, "/cp/") {
c.Next()
return
}
// Primary: explicit X-Molecule-Org-Id header (direct access path,
// e.g. from molecli or internal tooling that sets it directly).
if c.GetHeader(tenantOrgIDHeader) == configuredOrgID {