forked from molecule-ai/molecule-core
627946528d
ISSUE #680 — IDOR on PATCH /workspaces/🆔 - Route was on the open router with no auth middleware. Any unauthenticated caller could rename, change role, or update any workspace field of any workspace ID without credentials (zero auth + no ownership check). - Fix: register under wsAuth (WorkspaceAuth middleware) which (a) requires a valid bearer token and (b) validates the token belongs to the target workspace, providing auth + ownership in a single check. - Remove the now-redundant in-handler field-level auth block — the middleware is a strictly stronger gate. Dead code gone. - Remove unused `middleware` import from workspace.go. - Update tests: two tests that asserted the old in-handler 401 are replaced by TestWorkspaceUpdate_SensitiveField_AuthEnforcedByMiddleware (documents that auth is now at the router layer); cosmetic-field test renamed. ISSUE #681 — test-token endpoint auth: - Confirmed: GET /admin/workspaces/:id/test-token already has middleware.AdminAuth(db.DB). No change needed — finding was from older state. Build: `go build ./...` clean. All 15 test packages pass. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| cmd/server | ||
| internal | ||
| migrations | ||
| pkg/provisionhook | ||
| Dockerfile | ||
| Dockerfile.tenant | ||
| entrypoint-tenant.sh | ||
| go.mod | ||
| go.sum | ||