Hongming Wang 94e3d05e45 fix(security): gate /channels/discover behind AdminAuth (#250) ... Closes #250 (MEDIUM). POST /channels/discover was on the open router and accepted an arbitrary Telegram bot token, turning it into: 1. A free bot-token validity oracle — attackers can enumerate/probe tokens at zero cost 2. A drive-by deleteWebhook side effect — every call invokes tgbotapi.DeleteWebhookConfig against the target bot, breaking legitimate webhook delivery 3. A rate-limit amplifier — getMe + deleteWebhook + getUpdates per call Fix: one-line addition of middleware.AdminAuth(db.DB) to the route, matching its actual intent (platform-operator admin helper, not a per-workspace route). Pattern mirrors /admin/liveness, /events, and /bundles/export from PR #167. No new test: AdminAuth behavior is covered by wsauth_middleware_test.go; this PR only wires it onto an additional route. The load-bearing code comment references #250 so future reviewers can't revert without an issue citation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>		2026-04-15 13:11:22 -07:00
..
cmd	fix(platform): panic-recovering supervisor for every background goroutine (#92)	2026-04-14 20:34:18 -07:00
internal	fix(security): gate /channels/discover behind AdminAuth (#250)	2026-04-15 13:11:22 -07:00
migrations	fix(schedules): backfill legacy rows to 'template' + extract import SQL const	2026-04-14 14:30:22 -07:00
Dockerfile	initial commit — Molecule AI platform	2026-04-13 11:55:37 -07:00
go.mod	initial commit — Molecule AI platform	2026-04-13 11:55:37 -07:00
go.sum	initial commit — Molecule AI platform	2026-04-13 11:55:37 -07:00