core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
6edaebca00
molecule-core/platform
History
Backend Engineer 6edaebca00 fix: require workspace auth on DELETE /secrets/:key (#170) 
The route wsAuth.DELETE("/secrets/:key", sech.Delete) was already moved
inside the WorkspaceAuth group in a prior commit, closing the CWE-306
unauthenticated-delete vector. This commit adds two regression tests to
lock that in:

- TestWorkspaceAuth_Issue170_SecretDelete_NoBearer_Returns401: workspace
  with live tokens, no bearer header → 401 (blocks the attack).
- TestWorkspaceAuth_Issue170_SecretDelete_FailOpen_NoTokens: workspace
  with no tokens (bootstrap/legacy) → 200 (fail-open preserved).

Mirrors the TestAdminAuth_Issue120_* and TestWorkspaceAuth_C4_C8_* patterns.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 17:42:08 +00:00
..
cmd fix(platform): panic-recovering supervisor for every background goroutine (#92) 2026-04-14 20:34:18 -07:00
internal fix: require workspace auth on DELETE /secrets/:key (#170) 2026-04-15 17:42:08 +00:00
migrations fix(schedules): backfill legacy rows to 'template' + extract import SQL const 2026-04-14 14:30:22 -07:00
Dockerfile initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
go.mod initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
go.sum initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00