core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
eaecdb5c46
molecule-core/platform/internal/handlers
History
Hongming Wang 04c3911c0e fix(security): forward Authorization header in transcript proxy (#405) (#380) 
The platform's GET /workspaces/:id/transcript proxy was constructing the
outbound request without an Authorization header. The workspace's /transcript
endpoint (hardened in #287/#328) fails-closed when the header is absent,
so every transcript call in production returned 401 from the workspace.

Fix: after WorkspaceAuth validates the incoming bearer token, the handler
now forwards it verbatim via req.Header.Set("Authorization", ...).
Forwarding is safe — the token has already been validated by the middleware.

Tests:
- TestTranscript_ForwardsAuthHeader: was t.Skip'd as a bug marker; now
  active. Verifies the Authorization header reaches the workspace stub.
- TestTranscript_NoAuthHeader_PassesThrough: new. Verifies that a missing
  header produces no synthetic Authorization on the upstream call, and the
  workspace 401 is faithfully relayed.

Identified by QA audit 2026-04-16.

Co-authored-by: QA Engineer <qa-engineer@molecule-ai.internal>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 23:38:07 -07:00
..
a2a_proxy_test.go test: 100% coverage of extracted helpers + ConfirmDialog singleButton 2026-04-13 17:08:33 -07:00
a2a_proxy.go chore: quality pass — native dialogs, env sync, Go handler splits 2026-04-13 14:36:30 -07:00
activity_test.go test: 100% coverage of extracted helpers + ConfirmDialog singleButton 2026-04-13 17:08:33 -07:00
activity.go fix(security): #234 — sanitize source_id spoof log line via %q 2026-04-15 12:04:26 -07:00
admin_test_token_test.go feat(platform): GET /admin/workspaces/:id/test-token for E2E (#6) 2026-04-14 09:35:26 -07:00
admin_test_token.go feat(platform): GET /admin/workspaces/:id/test-token for E2E (#6) 2026-04-14 09:35:26 -07:00
agent_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
agent.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
approvals_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
approvals.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
bundle.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
channels_test.go fix(security): scope PausePollersForToken to requesting workspace (closes #329) 2026-04-15 21:22:50 -07:00
channels.go Merge pull request #343 from Molecule-AI/fix/issue-337-webhook-secret-constant-time 2026-04-15 21:31:02 -07:00
config_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
config.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
container_files.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
delegation_test.go test: 100% coverage of extracted helpers + ConfirmDialog singleButton 2026-04-13 17:08:33 -07:00
delegation.go test: 100% coverage of extracted helpers + ConfirmDialog singleButton 2026-04-13 17:08:33 -07:00
discovery_test.go test: 100% coverage of extracted helpers + ConfirmDialog singleButton 2026-04-13 17:08:33 -07:00
discovery.go chore: quality pass — native dialogs, env sync, Go handler splits 2026-04-13 14:36:30 -07:00
events_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
events.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
handlers_additional_test.go fix(tests): add EXISTS probe mock to 4 WorkspaceUpdate tests 2026-04-15 09:35:08 -07:00
handlers_extended_test.go test(security): add #120 regression tests — PATCH auth + workspace existence guard 2026-04-15 08:40:06 +00:00
handlers_test.go fix(security): #234 — sanitize source_id spoof log line via %q 2026-04-15 12:04:26 -07:00
memories_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
memories.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
memory_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
memory.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
org_path_test.go fix(security): #103 — path-sanitize + admin-gate POST /org/import 2026-04-15 00:18:09 -07:00
org_test.go fix(org): use yaml.Marshal for category_routing + newline-guard block appends 2026-04-14 14:28:22 -07:00
org.go fix(security): YAML injection + path traversal via runtime/model (#241) 2026-04-15 13:17:32 -07:00
plugins_install_pipeline_test.go test(handlers): add unit test suite for plugins_install_pipeline.go 2026-04-15 18:47:25 +00:00
plugins_install_pipeline.go refactor(platform): split 981-line plugins.go into per-domain modules 2026-04-13 18:01:59 -07:00
plugins_install.go refactor(platform): split 981-line plugins.go into per-domain modules 2026-04-13 18:01:59 -07:00
plugins_listing.go refactor(platform): split 981-line plugins.go into per-domain modules 2026-04-13 18:01:59 -07:00
plugins_sources.go refactor(platform): split 981-line plugins.go into per-domain modules 2026-04-13 18:01:59 -07:00
plugins_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
plugins.go refactor(platform): split 981-line plugins.go into per-domain modules 2026-04-13 18:01:59 -07:00
registry_test.go fix(security): close IPv6 SSRF gap in validateAgentURL (C6) 2026-04-15 07:43:23 +00:00
registry.go fix(security): close IPv6 SSRF gap in validateAgentURL (C6) 2026-04-15 07:43:23 +00:00
restart_context_test.go feat(platform): inject restart context system message (#19 Layer 1) 2026-04-14 12:41:01 -07:00
restart_context.go feat(platform): inject restart context system message (#19 Layer 1) 2026-04-14 12:41:01 -07:00
schedules_test.go fix(code-review): CanvasOrBearer fall-through, scheduler short(), activity spoof log + 6 new tests 2026-04-15 11:48:25 -07:00
schedules.go fix(scheduler): #152 problem B — persist and surface cron error_detail 2026-04-15 11:11:16 -07:00
secrets_test.go fix(secrets): auto-restart workspaces on global secret change (#15) 2026-04-14 12:39:00 -07:00
secrets.go fix(secrets): auto-restart workspaces on global secret change (#15) 2026-04-14 12:39:00 -07:00
socket.go fix(security): Cycle 5 — auth middleware, injection hardening, skill sandbox 2026-04-14 04:44:42 +00:00
team_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
team.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
template_import_test.go fix(security): #221 — quote name as YAML scalar instead of stripping newlines 2026-04-15 11:58:16 -07:00
template_import.go fix(security): #221 — quote name as YAML scalar instead of stripping newlines 2026-04-15 11:58:16 -07:00
templates_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
templates.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
terminal.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
traces_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
traces.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
transcript_test.go fix(security): forward Authorization header in transcript proxy (#405) (#380) 2026-04-15 23:38:07 -07:00
transcript.go fix(security): forward Authorization header in transcript proxy (#405) (#380) 2026-04-15 23:38:07 -07:00
viewport_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
viewport.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
webhooks_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
webhooks_workflow_test.go feat(webhooks): #101 — workflow_run event → DevOps A2A 2026-04-15 00:25:49 -07:00
webhooks.go feat(webhooks): #101 — workflow_run event → DevOps A2A 2026-04-15 00:25:49 -07:00
workspace_provision_test.go fix(security): YAML injection + path traversal via runtime/model (#241) 2026-04-15 13:17:32 -07:00
workspace_provision.go fix(security): YAML injection + path traversal via runtime/model (#241) 2026-04-15 13:17:32 -07:00
workspace_restart_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
workspace_restart.go feat(platform): inject restart context system message (#19 Layer 1) 2026-04-14 12:41:01 -07:00
workspace_test.go fix(auth): #138 — field-level authz on PATCH /workspaces/:id 2026-04-15 09:39:09 -07:00
workspace.go fix(security): YAML injection + path traversal via runtime/model (#241) 2026-04-15 13:17:32 -07:00