core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
e58e446444
molecule-core/workspace/transcript_auth.py
Hongming Wang d8026347e5 chore: open-source restructure — rename dirs, remove internal files, scrub secrets 
Renames:
- platform/ → workspace-server/ (Go module path stays as "platform" for
  external dep compat — will update after plugin module republish)
- workspace-template/ → workspace/

Removed (moved to separate repos or deleted):
- PLAN.md — internal roadmap (move to private project board)
- HANDOFF.md, AGENTS.md — one-time internal session docs
- .claude/ — gitignored entirely (local agent config)
- infra/cloudflare-worker/ → Molecule-AI/molecule-tenant-proxy
- org-templates/molecule-dev/ → standalone template repo
- .mcp-eval/ → molecule-mcp-server repo
- test-results/ — ephemeral, gitignored

Security scrubbing:
- Cloudflare account/zone/KV IDs → placeholders
- Real EC2 IPs → <EC2_IP> in all docs
- CF token prefix, Neon project ID, Fly app names → redacted
- Langfuse dev credentials → parameterized
- Personal runner username/machine name → generic

Community files:
- CONTRIBUTING.md — build, test, branch conventions
- CODE_OF_CONDUCT.md — Contributor Covenant 2.1

All Dockerfiles, CI workflows, docker-compose, railway.toml, render.yaml,
README, CLAUDE.md updated for new directory names.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-18 00:24:44 -07:00

31 lines
1.3 KiB
Python
Raw Blame History

"""Auth gate for the /transcript Starlette route.
Extracted from main.py so the security-critical logic is unit-testable
without standing up the full uvicorn/a2a/httpx import stack.
#328: the route must fail CLOSED when the expected token is unavailable
(bootstrap window, missing file, OSError). The previous implementation
treated a missing token as "skip auth entirely" — any container on the
same Docker network could read the session log during provisioning.
"""
def transcript_authorized(expected_token: str | None, auth_header: str) -> bool:
"""Return True iff /transcript should serve the request.
Args:
expected_token: the workspace's registered bearer token, or None
if `/configs/.auth_token` is absent / unreadable.
auth_header: raw value of the Authorization request header.
Behavior:
- None/empty expected → fail closed (401). This is the #328 fix;
a missing token file is an auth failure, not a bypass.
- Non-empty expected: strict equality check against "Bearer <tok>".
Bearer prefix is case-sensitive (matches the platform's
wsauth.BearerTokenFromHeader contract).
"""
if not expected_token:
return False
return auth_header == f"Bearer {expected_token}"
View Git Blame Copy Permalink