core-lead/molecule-core
1
0
Fork 0
forked from molecule-ai/molecule-core
Code Pull Requests Activity
fa239217a0
molecule-core/platform/internal
History
Hongming Wang fa239217a0 fix(security): remove WorkspaceAuth tokenless grace period (#351) 
Severity HIGH. #318 closed the fake-UUID fail-open for WorkspaceAuth
but left the grace period intact for *real* workspaces with no live
tokens. Zombie test-artifact workspaces from prior DAST runs still
exist in the DB with empty configs and no tokens, so they pass
WorkspaceExists=true but HasAnyLiveToken=false — and fell through the
grace period, leaking every global-secret key name to any
unauthenticated caller on the Docker network.

Phase 30.1 shipped months ago; every production workspace has gone
through multiple boot cycles and acquired a token since. The
"legacy workspaces grandfathered" window no longer serves legitimate
traffic. Removing it entirely is the cleanest fix — and does NOT
affect registration (which is on /registry/register, outside this
middleware's scope).

New contract (strict):

  every /workspaces/:id/* request MUST carry
  Authorization: Bearer <token-for-this-workspace>

Any missing/mismatched/revoked/wrong-workspace bearer → 401. No
existence check, no fallback. The wsauth.WorkspaceExists helper is
kept in the package for any future caller but no longer used here.

Tests:
- TestWorkspaceAuth_351_NoBearer_Returns401_NoDBCalls — new, covers
  fake UUID / zombie / pre-token in one sub-table. Asserts zero DB
  calls on missing bearer.
- Existing C4/C8 + #170 tests updated to drop the stale
  HasAnyLiveToken sqlmock expectations.
- Renamed TestWorkspaceAuth_Issue170_SecretDelete_FailOpen_NoTokens
  to _NoTokensStillRejected and flipped the assertion from 200 to 401.
- Dropped TestWorkspaceAuth_318_ExistsQueryError_Returns500 — the
  code path it covered no longer exists.

Full platform test sweep green.

Closes #351

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 21:52:44 -07:00
..
bundle initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
channels fix(security): scope PausePollersForToken to requesting workspace (closes #329) 2026-04-15 21:22:50 -07:00
crypto initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
db fix(db): #211 — migration runner skips *.down.sql (stop wiping data on boot) 2026-04-15 11:24:06 -07:00
envx initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
events initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
handlers Merge pull request #343 from Molecule-AI/fix/issue-337-webhook-secret-constant-time 2026-04-15 21:31:02 -07:00
metrics initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
middleware fix(security): remove WorkspaceAuth tokenless grace period (#351) 2026-04-15 21:52:44 -07:00
models initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
plugins initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
provisioner Merge pull request #57 from Molecule-AI/fix/issue-12-preserve-claude-sessions 2026-04-14 12:26:12 -07:00
registry fix(registry): allow ancestor↔descendant A2A so audit_summary can reach PM 2026-04-14 22:18:38 -07:00
router feat: GET /workspaces/:id/transcript — live agent session log 2026-04-15 14:29:43 -07:00
scheduler fix(code-review): CanvasOrBearer fall-through, scheduler short(), activity spoof log + 6 new tests 2026-04-15 11:48:25 -07:00
supervised fix(platform): panic-recovering supervisor for every background goroutine (#92) 2026-04-14 20:34:18 -07:00
ws initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
wsauth fix(security): close WorkspaceAuth fail-open on non-existent workspace IDs (#318) 2026-04-15 21:02:29 -07:00