forked from molecule-ai/molecule-core
b0ec35e644
On EC2 tenant instances, Caddy serves Canvas (:3000) and API (:8080) under the same domain. Canvas makes same-origin requests without X-Molecule-Org-Id or Fly-Replay-Src headers, causing TenantGuard to 404 every API route. - Add isSameOriginCanvas() as tertiary check in TenantGuard — when CANVAS_PROXY_URL is set and Referer/Origin matches Host, pass through. - Enhance isSameOriginCanvas() to also check Origin header (WebSocket upgrade requests send Origin but may not send Referer). - Add 3 new tests: Referer bypass, Origin bypass (WS), inactive without env. Fixes all 404s on /workspaces, /templates, /org/templates, /approvals/pending, /canvas/viewport, and /ws WebSocket on tenant EC2 instances. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| bundle | ||
| channels | ||
| crypto | ||
| db | ||
| envx | ||
| events | ||
| handlers | ||
| metrics | ||
| middleware | ||
| models | ||
| plugins | ||
| provisioner | ||
| registry | ||
| router | ||
| scheduler | ||
| supervised | ||
| ws | ||
| wsauth | ||