forked from molecule-ai/molecule-core
627946528d
ISSUE #680 — IDOR on PATCH /workspaces/🆔 - Route was on the open router with no auth middleware. Any unauthenticated caller could rename, change role, or update any workspace field of any workspace ID without credentials (zero auth + no ownership check). - Fix: register under wsAuth (WorkspaceAuth middleware) which (a) requires a valid bearer token and (b) validates the token belongs to the target workspace, providing auth + ownership in a single check. - Remove the now-redundant in-handler field-level auth block — the middleware is a strictly stronger gate. Dead code gone. - Remove unused `middleware` import from workspace.go. - Update tests: two tests that asserted the old in-handler 401 are replaced by TestWorkspaceUpdate_SensitiveField_AuthEnforcedByMiddleware (documents that auth is now at the router layer); cosmetic-field test renamed. ISSUE #681 — test-token endpoint auth: - Confirmed: GET /admin/workspaces/:id/test-token already has middleware.AdminAuth(db.DB). No change needed — finding was from older state. Build: `go build ./...` clean. All 15 test packages pass. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| artifacts | ||
| bundle | ||
| channels | ||
| crypto | ||
| db | ||
| envx | ||
| events | ||
| handlers | ||
| metrics | ||
| middleware | ||
| models | ||
| plugins | ||
| provisioner | ||
| registry | ||
| router | ||
| scheduler | ||
| supervised | ||
| ws | ||
| wsauth | ||