core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
1a28ec8ee5
molecule-core/platform/internal
History
Backend Engineer 1a28ec8ee5 fix(security): C1 — gate GET /workspaces behind AdminAuth; add auth middleware tests 
Security Auditor confirmed C1 (GET /workspaces) exposes workspace topology
without any authentication. The endpoint was intentionally left open for
the canvas browser frontend; this PR closes that gap.

Router change:
- Move GET /workspaces from the bare root router into the wsAdmin AdminAuth
  group alongside POST /workspaces and DELETE /workspaces/:id.
- AdminAuth uses the same fail-open bootstrap contract as all other auth
  gates: fresh installs (no live tokens) pass through; once any workspace
  has registered with a token, a valid bearer is required.

Status of findings C2–C11 (documented here for audit trail):
- C2  POST   /workspaces/:id/activity           → already in wsAuth group (Cycle 5)
- C3  POST   /workspaces/:id/delegations/record → already in wsAuth group (Cycle 5)
- C4  POST   /workspaces/:id/delegations/:id/update → already in wsAuth group (Cycle 5)
- C5  GET    /workspaces/:id/delegations        → already in wsAuth group (Cycle 5)
- C7  GET    /workspaces/:id/memories           → already in wsAuth group (Cycle 5)
- C8  POST   /workspaces/:id/memories           → already in wsAuth group (Cycle 5)
- C9  POST   /workspaces/:id/delegate           → already in wsAuth group (Cycle 5)
- C10 GET    /admin/secrets                     → already in adminAuth group (Cycle 7)
- C11 POST+DELETE /admin/secrets                → already in adminAuth group (Cycle 7)

Tests (platform/internal/middleware/wsauth_middleware_test.go — 13 new):
WorkspaceAuth:
  - fail-open when workspace has no tokens (bootstrap path)
  - C4: no bearer on /delegations/:id/update → 401
  - C8: no bearer on /memories POST → 401
  - invalid bearer → 401
  - cross-workspace token replay → 401
  - valid bearer for correct workspace → 200

AdminAuth:
  - fail-open when no tokens exist globally (fresh install)
  - C10: no bearer on GET /admin/secrets → 401
  - C11: no bearer on POST /admin/secrets → 401
  - C11: no bearer on DELETE /admin/secrets/:key → 401
  - valid bearer → 200
  - invalid bearer → 401

Note: did NOT touch DELETE /admin/secrets in production — no destructive
calls to live secrets endpoints were made during this work.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 04:37:14 +00:00
..
bundle initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
channels initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
crypto initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
db initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
envx initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
events initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
handlers fix(security): C18 register ownership check, C20 DELETE auth gate 2026-04-14 07:38:53 +00:00
metrics initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
middleware fix(security): C1 — gate GET /workspaces behind AdminAuth; add auth middleware tests 2026-04-15 04:37:14 +00:00
models initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
plugins initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
provisioner initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
registry initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
router fix(security): C1 — gate GET /workspaces behind AdminAuth; add auth middleware tests 2026-04-15 04:37:14 +00:00
scheduler initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
ws initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
wsauth fix(security): protect global secrets routes with AdminAuth middleware (Cycle 7) 2026-04-14 06:33:22 +00:00