479a027e4b
Renames: - platform/ → workspace-server/ (Go module path stays as "platform" for external dep compat — will update after plugin module republish) - workspace-template/ → workspace/ Removed (moved to separate repos or deleted): - PLAN.md — internal roadmap (move to private project board) - HANDOFF.md, AGENTS.md — one-time internal session docs - .claude/ — gitignored entirely (local agent config) - infra/cloudflare-worker/ → Molecule-AI/molecule-tenant-proxy - org-templates/molecule-dev/ → standalone template repo - .mcp-eval/ → molecule-mcp-server repo - test-results/ — ephemeral, gitignored Security scrubbing: - Cloudflare account/zone/KV IDs → placeholders - Real EC2 IPs → <EC2_IP> in all docs - CF token prefix, Neon project ID, Fly app names → redacted - Langfuse dev credentials → parameterized - Personal runner username/machine name → generic Community files: - CONTRIBUTING.md — build, test, branch conventions - CODE_OF_CONDUCT.md — Contributor Covenant 2.1 All Dockerfiles, CI workflows, docker-compose, railway.toml, render.yaml, README, CLAUDE.md updated for new directory names. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
57 lines
1.9 KiB
Go
57 lines
1.9 KiB
Go
package router
|
|
|
|
import (
|
|
"log"
|
|
"net/http"
|
|
"net/http/httputil"
|
|
"net/url"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
// newCanvasProxy returns a Gin handler that reverse-proxies all unmatched
|
|
// routes to the canvas Next.js server. Used in the combined tenant image
|
|
// (Dockerfile.tenant) where Go platform (:8080) and canvas (:3000) run in
|
|
// the same container.
|
|
//
|
|
// The proxy forwards the request path, query, and headers as-is. The Host
|
|
// header is rewritten to the canvas upstream so Next.js doesn't reject it
|
|
// (Next.js checks Host in dev mode). Response headers from canvas flow back
|
|
// to the client unchanged.
|
|
//
|
|
// Security: Authorization and Cookie headers are stripped before forwarding.
|
|
// Workspace bearer tokens must not reach the Next.js process — canvas has no
|
|
// token-validation logic and an unpatched Next.js route could echo them back
|
|
// to an attacker via an error page or debug endpoint (issue #451).
|
|
//
|
|
// Why NoRoute + proxy instead of nginx: one fewer process, one fewer config
|
|
// file, and the Go router already knows which routes are API routes. Any
|
|
// path not registered as an API route is a canvas page by elimination.
|
|
func newCanvasProxy(targetURL string) gin.HandlerFunc {
|
|
target, err := url.Parse(targetURL)
|
|
if err != nil {
|
|
log.Fatalf("canvas_proxy: invalid CANVAS_PROXY_URL %q: %v", targetURL, err)
|
|
}
|
|
|
|
proxy := &httputil.ReverseProxy{
|
|
Director: func(req *http.Request) {
|
|
req.URL.Scheme = target.Scheme
|
|
req.URL.Host = target.Host
|
|
req.Host = target.Host
|
|
// N2 (issue #451): strip credential headers — workspace bearer
|
|
// tokens and session cookies must not reach the canvas process.
|
|
req.Header.Del("Authorization")
|
|
req.Header.Del("Cookie")
|
|
},
|
|
ErrorHandler: func(w http.ResponseWriter, _ *http.Request, err error) {
|
|
log.Printf("canvas_proxy: %v", err)
|
|
w.WriteHeader(http.StatusBadGateway)
|
|
w.Write([]byte("canvas unavailable"))
|
|
},
|
|
}
|
|
|
|
return func(c *gin.Context) {
|
|
proxy.ServeHTTP(c.Writer, c.Request)
|
|
}
|
|
}
|