molecule-ai/molecule-core
35
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity

Merge pull request #502 from Molecule-AI/fix/update-delete-same-origin

Browse Source 
fix(auth): nesting + delete from tenant canvas
This commit is contained in:
Hongming Wang 2026-04-16 11:26:27 -07:00 committed by GitHub
commit 2cecd4ee3d
2 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
platform/internal/handlers/workspace.go
View File

@ -12,6 +12,7 @@ import (
"github.com/Molecule-AI/molecule-monorepo/platform/internal/db"
"github.com/Molecule-AI/molecule-monorepo/platform/internal/events"
"github.com/Molecule-AI/molecule-monorepo/platform/internal/middleware"
"github.com/Molecule-AI/molecule-monorepo/platform/internal/models"
"github.com/Molecule-AI/molecule-monorepo/platform/internal/provisioner"
"github.com/Molecule-AI/molecule-monorepo/platform/internal/wsauth"
@ -488,6 +489,9 @@ func (h *WorkspaceHandler) Update(c *gin.Context) {
}
tok := wsauth.BearerTokenFromHeader(c.GetHeader("Authorization"))
if tok == "" {
if middleware.IsSameOriginCanvas(c) {
break // tenant canvas — trusted same-origin
}
c.JSON(http.StatusUnauthorized, gin.H{"error": "admin auth required for field: " + field})
return
}

7
platform/internal/middleware/wsauth_middleware.go
View File

@ -209,6 +209,13 @@ func canvasOriginAllowed(origin string) bool {
// on every request.
var canvasProxyActive = os.Getenv("CANVAS_PROXY_URL") != ""
// IsSameOriginCanvas is the exported version for use outside the middleware
// package (e.g. workspace.go field-level auth). Same logic as the internal
// callers in AdminAuth/WorkspaceAuth/CanvasOrBearer.
func IsSameOriginCanvas(c *gin.Context) bool {
return isSameOriginCanvas(c)
}
func isSameOriginCanvas(c *gin.Context) bool {
if !canvasProxyActive {
return false