forked from molecule-ai/molecule-core
78f8391f02
PR #1885 introduced a regression: HandleConnect called wsauth.ValidateToken for any bearer token when X-Workspace-ID ≠ workspaceID. Org-scoped tokens (org_api_tokens table) are not in workspace_auth_tokens, so ValidateToken always returned ErrInvalidToken for them → hard 401 for all A2A routing that uses org tokens. Fix: if WorkspaceAuth already validated an org token (org_token_id set in gin context by orgtoken.Validate), skip the workspace_auth_tokens lookup and trust the X-Workspace-ID claim. Hierarchy enforcement via canCommunicateCheck is unchanged — org token holders are still subject to the workspace hierarchy. Workspace-scoped tokens continue to require ValidateToken binding. Invalid tokens (neither workspace-bound nor org-level) still return 401. This closes the regression while preserving the KI-005 security property. Add TestKI005_OrgToken_SkipsValidateToken to terminal_test.go as a regression guard for this exact path. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| artifacts | ||
| bundle | ||
| channels | ||
| crypto | ||
| db | ||
| envx | ||
| events | ||
| handlers | ||
| metrics | ||
| middleware | ||
| models | ||
| orgtoken | ||
| plugins | ||
| provisioner | ||
| registry | ||
| router | ||
| scheduler | ||
| supervised | ||
| ws | ||
| wsauth | ||