core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
ed3e8eed3c
molecule-core/platform/internal/middleware
History
Hongming Wang 25bd9241d1 fix(tenant): WebSocket URL derivation + AdminAuth same-origin for tenant image 
Two bugs on the combined tenant image (canvas + API same-origin):

1. WebSocket URL: NEXT_PUBLIC_WS_URL="" (empty string for same-origin)
   was preserved by ?? operator, producing an invalid WS URL. Now derives
   from window.location when both env vars are empty. Same fix applied
   to TerminalTab.

2. AdminAuth blocking canvas: same-origin requests have no Origin header,
   so neither AdminAuth nor CanvasOrBearer could authenticate the canvas.
   Added isSameOriginCanvas() that checks Referer against request Host,
   gated behind CANVAS_PROXY_URL (only active on tenant image). This
   lets the canvas create/list workspaces, view events, etc. without a
   bearer token when served from the same Go process.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 08:43:01 -07:00
..
ratelimit_test.go fix(router): call SetTrustedProxies(nil) to close IP-spoofing bypass (#179) 2026-04-15 17:32:54 +00:00
ratelimit.go fix: #93 category_routing + #105 X-RateLimit headers 2026-04-15 00:23:46 -07:00
securityheaders_test.go fix: address all code review findings + remove exposed secrets 2026-04-16 05:05:49 -07:00
securityheaders.go fix: address all code review findings + remove exposed secrets 2026-04-16 05:05:49 -07:00
tenant_guard_test.go fix(middleware): tenant guard reads bare UUID from state= (no prefix) 2026-04-14 18:09:44 -07:00
tenant_guard.go fix(middleware): tenant guard reads bare UUID from state= (no prefix) 2026-04-14 18:09:44 -07:00
wsauth_middleware_test.go chore(test): remove dead constants from wsauth_middleware_test.go (#358) 2026-04-16 05:02:11 +00:00
wsauth_middleware.go fix(tenant): WebSocket URL derivation + AdminAuth same-origin for tenant image 2026-04-16 08:43:01 -07:00