core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
652019afcc
molecule-core/platform/internal/middleware
History
Hongming Wang b73da288e3 fix(auth): TenantGuard same-origin bypass for EC2 tenant Canvas 
On EC2 tenant instances, Caddy serves Canvas (:3000) and API (:8080) under
the same domain. Canvas makes same-origin requests without X-Molecule-Org-Id
or Fly-Replay-Src headers, causing TenantGuard to 404 every API route.

- Add isSameOriginCanvas() as tertiary check in TenantGuard — when
  CANVAS_PROXY_URL is set and Referer/Origin matches Host, pass through.
- Enhance isSameOriginCanvas() to also check Origin header (WebSocket
  upgrade requests send Origin but may not send Referer).
- Add 3 new tests: Referer bypass, Origin bypass (WS), inactive without env.

Fixes all 404s on /workspaces, /templates, /org/templates, /approvals/pending,
/canvas/viewport, and /ws WebSocket on tenant EC2 instances.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 18:22:23 -07:00
..
ratelimit_test.go fix(router): call SetTrustedProxies(nil) to close IP-spoofing bypass (#179) 2026-04-15 17:32:54 +00:00
ratelimit.go fix: #93 category_routing + #105 X-RateLimit headers 2026-04-15 00:23:46 -07:00
securityheaders_test.go fix(middleware): split CSP by route type — strict for API, permissive for canvas (#450) 2026-04-16 20:26:17 +00:00
securityheaders.go fix(middleware): split CSP by route type — strict for API, permissive for canvas (#450) 2026-04-16 20:26:17 +00:00
tenant_guard_test.go fix(auth): TenantGuard same-origin bypass for EC2 tenant Canvas 2026-04-16 18:22:23 -07:00
tenant_guard.go fix(auth): TenantGuard same-origin bypass for EC2 tenant Canvas 2026-04-16 18:22:23 -07:00
wsauth_middleware_test.go chore(test): remove dead constants from wsauth_middleware_test.go (#358) 2026-04-16 05:02:11 +00:00
wsauth_middleware.go fix(auth): TenantGuard same-origin bypass for EC2 tenant Canvas 2026-04-16 18:22:23 -07:00