From 992e6d3f3883f5f5ccf4dcbcaa76146429aae3a5 Mon Sep 17 00:00:00 2001
From: rabbitblood <hongmingwangrabbit@gmail.com>
Date: Mon, 20 Apr 2026 12:45:09 -0700
Subject: [PATCH] fix(auth): accept admin token in CanvasOrBearer for viewport
 PUT

---
 workspace-server/internal/middleware/wsauth_middleware.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/workspace-server/internal/middleware/wsauth_middleware.go b/workspace-server/internal/middleware/wsauth_middleware.go
index d8175c36..d0ff090b 100644
--- a/workspace-server/internal/middleware/wsauth_middleware.go
+++ b/workspace-server/internal/middleware/wsauth_middleware.go
@@ -188,6 +188,12 @@ func CanvasOrBearer(database *sql.DB) gin.HandlerFunc {
 		// expired token + a matching Origin would otherwise bypass auth.
 		// Empty bearer → skip to Origin path (canvas never sends one).
 		if tok := wsauth.BearerTokenFromHeader(c.GetHeader("Authorization")); tok != "" {
+			// Admin token accepted for canvas dashboard
+			adminSecret := os.Getenv("ADMIN_TOKEN")
+			if adminSecret != "" && subtle.ConstantTimeCompare([]byte(tok), []byte(adminSecret)) == 1 {
+				c.Next()
+				return
+			}
 			if err := wsauth.ValidateAnyToken(ctx, database, tok); err != nil {
 				c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid admin auth token"})
 				return