forked from molecule-ai/molecule-core
4810863a40
The Origin header is trivially forgeable by any container on the Docker network. Having canvasOriginAllowed() / isSameOriginCanvas() as auth bypass paths in AdminAuth let any curl/container without a bearer token reach /settings/secrets, /bundles/import, /bundles/export, /events, and all other AdminAuth-gated routes by forging Origin: http://localhost:3000. Fix: remove both Origin bypass branches from AdminAuth. Bearer token is now the only accepted credential. Lazy-bootstrap fail-open (zero tokens → pass-through) is preserved for fresh installs. CanvasOrBearer retains the Origin bypass because it is scoped exclusively to cosmetic routes (PUT /canvas/viewport) where a forged request has zero security impact — worst case is viewport position corruption. Added 3 regression tests: - TestAdminAuth_623_ForgedOrigin_Returns401 - TestAdminAuth_623_ForgedCORSOrigin_Returns401 - TestAdminAuth_623_ValidBearer_WithOrigin_Passes Closes #623, Closes #626 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| bundle | ||
| channels | ||
| crypto | ||
| db | ||
| envx | ||
| events | ||
| handlers | ||
| metrics | ||
| middleware | ||
| models | ||
| plugins | ||
| provisioner | ||
| registry | ||
| router | ||
| scheduler | ||
| supervised | ||
| ws | ||
| wsauth | ||