molecule-ai/molecule-core
35
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity
383582fbbf
molecule-core/platform/internal/middleware
History
Dev Lead Agent c1656503ef fix(security): protect global secrets routes with AdminAuth middleware (Cycle 7) 
Three unauthenticated routes allowed arbitrary read/write/delete of all
global platform secrets (API keys, provider credentials) with zero auth:
  - GET/PUT/POST /settings/secrets
  - DELETE /settings/secrets/:key
  - GET/POST/DELETE /admin/secrets (legacy aliases)

Fix: new AdminAuth middleware with same lazy-bootstrap contract as
WorkspaceAuth — fail-open when no tokens exist (fresh install / pre-Phase-30
upgrade), enforce once any workspace has a live token. Any valid workspace
bearer token grants access (platform-wide scope, no workspace binding needed).

Changes:
  wsauth/tokens.go         — HasAnyLiveTokenGlobal + ValidateAnyToken functions
  wsauth/tokens_test.go    — 5 new tests covering both new functions
  middleware/wsauth_middleware.go — AdminAuth middleware
  router/router.go         — global secrets routes now registered under adminAuth group

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-14 06:33:22 +00:00
..
ratelimit.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
securityheaders_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
securityheaders.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
wsauth_middleware.go fix(security): protect global secrets routes with AdminAuth middleware (Cycle 7) 2026-04-14 06:33:22 +00:00