forked from molecule-ai/molecule-core
071fb0da88
Two bugs on the combined tenant image (canvas + API same-origin): 1. WebSocket URL: NEXT_PUBLIC_WS_URL="" (empty string for same-origin) was preserved by ?? operator, producing an invalid WS URL. Now derives from window.location when both env vars are empty. Same fix applied to TerminalTab. 2. AdminAuth blocking canvas: same-origin requests have no Origin header, so neither AdminAuth nor CanvasOrBearer could authenticate the canvas. Added isSameOriginCanvas() that checks Referer against request Host, gated behind CANVAS_PROXY_URL (only active on tenant image). This lets the canvas create/list workspaces, view events, etc. without a bearer token when served from the same Go process. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| bundle | ||
| channels | ||
| crypto | ||
| db | ||
| envx | ||
| events | ||
| handlers | ||
| metrics | ||
| middleware | ||
| models | ||
| plugins | ||
| provisioner | ||
| registry | ||
| router | ||
| scheduler | ||
| supervised | ||
| ws | ||
| wsauth | ||