molecule-ai/molecule-core
35
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity
0de67cd379
molecule-core/workspace-server/internal/middleware
History
Hongming Wang eb42f7d145 test(middleware): branch coverage for CanvasOrBearer + IsSameOriginCanvas (closes #1818) 
Per the 2026-04-23 audit, wsauth_middleware.go had two coverage holes
on auth-boundary code:

  CanvasOrBearer       50.0% (only fail-open + Origin paths covered)
  IsSameOriginCanvas    0.0% (exported wrapper never exercised)

This adds focused tests for the missing branches:

  CanvasOrBearer:
    - ValidBearer_Passes              (path-1 success)
    - InvalidBearer_Returns401        (auth-escape regression: bad
                                        bearer + matching Origin must
                                        NOT fall through to Origin)
    - AdminTokenEnv_Passes            (ADMIN_TOKEN constant-time match)
    - DBError_FailOpen                (documented fail-open behavior)
    - SameOriginCanvas_Passes         (path-3 combined-tenant image)

  IsSameOriginCanvas / isSameOriginCanvas:
    - ExportedWrapper_DelegatesToInternal
    - DisabledByEnv                   (CANVAS_PROXY_URL unset short-circuit)
    - BranchCoverage                  (table-driven: 11 host/referer/origin
                                        cases incl. the h.example.com.evil.com
                                        suffix-attack rejection)

Coverage moves CanvasOrBearer 50% → 100%, IsSameOriginCanvas 0% → 100%,
and middleware-package overall 81.6% → 86.0%. No production code change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 04:23:24 -07:00
..
devmode_test.go refactor(middleware): extract dev-mode fail-open predicate 2026-04-23 14:55:34 -07:00
devmode.go fix: six UX bugs (peers auth, scroll, chat tabs, config persist, + visibility) 2026-04-23 20:18:30 -07:00
mcp_ratelimit_test.go chore: open-source restructure — rename dirs, remove internal files, scrub secrets 2026-04-18 00:24:44 -07:00
mcp_ratelimit.go chore: open-source restructure — rename dirs, remove internal files, scrub secrets 2026-04-18 00:24:44 -07:00
ratelimit_test.go chore: open-source restructure — rename dirs, remove internal files, scrub secrets 2026-04-18 00:24:44 -07:00
ratelimit.go fix: dev-mode bypass for IP rate limiter + 429 retry on GET 2026-04-23 20:44:09 -07:00
securityheaders_test.go chore: open-source restructure — rename dirs, remove internal files, scrub secrets 2026-04-18 00:24:44 -07:00
securityheaders.go chore: open-source restructure — rename dirs, remove internal files, scrub secrets 2026-04-18 00:24:44 -07:00
session_auth_test.go fix(canvas/a11y): restore aria-hidden on backdrop div after cherry-pick conflict 2026-04-24 03:10:18 +00:00
session_auth.go fix(canvas/a11y): aria-hidden SVGs, MissingKeysModal dialog, session cookie auth 2026-04-24 04:30:26 +00:00
tenant_guard_test.go fix(tenant-guard): allowlist /registry/register + /registry/heartbeat (#1236) 2026-04-21 02:47:27 +00:00
tenant_guard.go fix(tenant-guard): allowlist /registry/register + /registry/heartbeat (#1236) 2026-04-21 02:47:27 +00:00
wsauth_middleware_canvasorbearer_test.go test(middleware): branch coverage for CanvasOrBearer + IsSameOriginCanvas (closes #1818) 2026-04-26 04:23:24 -07:00
wsauth_middleware_org_id_test.go test(middleware): add last_used_at ExpectExec for WorkspaceAuth org-token tests 2026-04-24 13:01:42 +00:00
wsauth_middleware_test.go fix(test): rename duplicate TestCanvasOrBearer_WrongOrigin test at line 946 — resolves Platform(Go) CI compile error on PR #2040 2026-04-24 18:04:13 +00:00
wsauth_middleware.go fix(middleware): add missing return after AbortWithStatusJSON in CanvasOrBearer 2026-04-24 18:04:13 +00:00