forked from molecule-ai/molecule-core
572b314c4e
Three Offensive Security findings addressed: #684 — AdminAuth accepts any workspace bearer token (FALSE POSITIVE). ValidateAnyToken intentionally accepts any valid workspace token — the platform's trust model uses workspace credentials as admin credentials. No code change; documented as by-design in the PR body. #682 — Deleted-workspace bearer tokens still authenticate (defense-in-depth). The Delete handler already revokes all tokens (revoked_at = now()), so this was a false positive. As defense-in-depth we add a JOIN against workspaces in ValidateAnyToken so that even if revoked_at is not set (transient DB error between status update and token revocation), the token still fails validation once workspace.status = 'removed'. Files: platform/internal/wsauth/tokens.go, tokens_test.go, platform/internal/middleware/wsauth_middleware_test.go #683 — /metrics unauthenticated (REAL). GET /metrics was on the open router with no auth. The Prometheus endpoint exposes the full HTTP route-pattern map, request counts by route+status, and Go runtime memory stats — ops intel that should not reach unauthenticated callers. Scraper must now present a valid workspace bearer token. File: platform/internal/router/router.go All 16 packages pass: go test ./... Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| ratelimit_test.go | ||
| ratelimit.go | ||
| securityheaders_test.go | ||
| securityheaders.go | ||
| tenant_guard_test.go | ||
| tenant_guard.go | ||
| wsauth_middleware_test.go | ||
| wsauth_middleware.go | ||