forked from molecule-ai/molecule-core
fec7ac82d3
Three unauthenticated routes allowed arbitrary read/write/delete of all global platform secrets (API keys, provider credentials) with zero auth: - GET/PUT/POST /settings/secrets - DELETE /settings/secrets/:key - GET/POST/DELETE /admin/secrets (legacy aliases) Fix: new AdminAuth middleware with same lazy-bootstrap contract as WorkspaceAuth — fail-open when no tokens exist (fresh install / pre-Phase-30 upgrade), enforce once any workspace has a live token. Any valid workspace bearer token grants access (platform-wide scope, no workspace binding needed). Changes: wsauth/tokens.go — HasAnyLiveTokenGlobal + ValidateAnyToken functions wsauth/tokens_test.go — 5 new tests covering both new functions middleware/wsauth_middleware.go — AdminAuth middleware router/router.go — global secrets routes now registered under adminAuth group Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| bundle | ||
| channels | ||
| crypto | ||
| db | ||
| envx | ||
| events | ||
| handlers | ||
| metrics | ||
| middleware | ||
| models | ||
| plugins | ||
| provisioner | ||
| registry | ||
| router | ||
| scheduler | ||
| ws | ||
| wsauth | ||