molecule-ai/molecule-core
35
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity
2cecd4ee3d
molecule-core/platform/internal/middleware
History
Hongming Wang 3db589770e fix(auth): allow nesting + delete from tenant canvas (same-origin) 
PATCH /workspaces/:id field-level auth for parent_id/tier/runtime
required a bearer token, blocking canvas nesting (drag-to-nest).
Added IsSameOriginCanvas check so the tenant canvas can update
sensitive fields without a bearer.

Exported IsSameOriginCanvas from middleware package so workspace.go
can call it for the field-level auth path.

DELETE /workspaces/:id is behind AdminAuth which already has the
same-origin check — if delete still fails, it's a different issue.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 11:22:45 -07:00
..
ratelimit_test.go fix(router): call SetTrustedProxies(nil) to close IP-spoofing bypass (#179) 2026-04-15 17:32:54 +00:00
ratelimit.go fix: #93 category_routing + #105 X-RateLimit headers 2026-04-15 00:23:46 -07:00
securityheaders_test.go fix: address all code review findings + remove exposed secrets 2026-04-16 05:05:49 -07:00
securityheaders.go fix: address all code review findings + remove exposed secrets 2026-04-16 05:05:49 -07:00
tenant_guard_test.go fix(middleware): tenant guard reads bare UUID from state= (no prefix) 2026-04-14 18:09:44 -07:00
tenant_guard.go fix(middleware): tenant guard reads bare UUID from state= (no prefix) 2026-04-14 18:09:44 -07:00
wsauth_middleware_test.go chore(test): remove dead constants from wsauth_middleware_test.go (#358) 2026-04-16 05:02:11 +00:00
wsauth_middleware.go fix(auth): allow nesting + delete from tenant canvas (same-origin) 2026-04-16 11:22:45 -07:00