Backend Engineer's PR #729 introduces ADMIN_TOKEN — when set, only that value is accepted on /admin/* and /approvals/* routes, replacing the vulnerable workspace-bearer fallback. Without the env var wired into deployments the fix is code-only and the vulnerability stays open in every running instance. Changes: - `docker-compose.yml`: adds ADMIN_TOKEN env var to the platform service (blank default = backward-compat fallback, i.e. still vulnerable until set). NOTE: docker-compose.infra.yml has no platform service — the platform lives only in the full-stack docker-compose.yml, so that is the correct file. - `.env.example`: documents ADMIN_TOKEN with generation instructions and a clear warning that it must be set to close #684. - `infra/scripts/setup.sh`: prints a visible warning when ADMIN_TOKEN is unset so operators know the vulnerability is still open in that deployment. - `CLAUDE.md`: adds ADMIN_TOKEN to the env vars reference section. No Go code changed — go build ./... passes clean. Part of fix for #684 / PR #729 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -43,3 +43,14 @@ echo "==> Infrastructure ready!"
|
||||
echo " Postgres: localhost:5432"
|
||||
echo " Redis: localhost:6379"
|
||||
echo " Langfuse: localhost:3001"
|
||||
|
||||
# Security check — issue #684 (AdminAuth bearer bypass, PR #729).
|
||||
# Without ADMIN_TOKEN, any valid workspace bearer token can call /admin/* routes.
|
||||
if [ -z "${ADMIN_TOKEN:-}" ]; then
|
||||
echo ""
|
||||
echo " ⚠ WARNING: ADMIN_TOKEN is not set."
|
||||
echo " Until it is, AdminAuth falls back to accepting any workspace bearer token"
|
||||
echo " — the #684 vulnerability is NOT closed in this deployment."
|
||||
echo " Generate one: openssl rand -base64 32"
|
||||
echo " Then export ADMIN_TOKEN=<value> or add it to your .env before starting the platform."
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user