molecule-ai/molecule-core
36
0
Fork 2
Code Issues 14 Pull Requests 27 Actions 3.3k Packages Projects Releases Wiki Activity
6edaebca00
molecule-core/platform/internal/middleware
History
Backend Engineer 6edaebca00 fix: require workspace auth on DELETE /secrets/:key (#170) 
The route wsAuth.DELETE("/secrets/:key", sech.Delete) was already moved
inside the WorkspaceAuth group in a prior commit, closing the CWE-306
unauthenticated-delete vector. This commit adds two regression tests to
lock that in:

- TestWorkspaceAuth_Issue170_SecretDelete_NoBearer_Returns401: workspace
  with live tokens, no bearer header → 401 (blocks the attack).
- TestWorkspaceAuth_Issue170_SecretDelete_FailOpen_NoTokens: workspace
  with no tokens (bootstrap/legacy) → 200 (fail-open preserved).

Mirrors the TestAdminAuth_Issue120_* and TestWorkspaceAuth_C4_C8_* patterns.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-15 17:42:08 +00:00
..
ratelimit_test.go fix: #93 category_routing + #105 X-RateLimit headers 2026-04-15 00:23:46 -07:00
ratelimit.go fix: #93 category_routing + #105 X-RateLimit headers 2026-04-15 00:23:46 -07:00
securityheaders_test.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
securityheaders.go initial commit — Molecule AI platform 2026-04-13 11:55:37 -07:00
tenant_guard_test.go fix(middleware): tenant guard reads bare UUID from state= (no prefix) 2026-04-14 18:09:44 -07:00
tenant_guard.go fix(middleware): tenant guard reads bare UUID from state= (no prefix) 2026-04-14 18:09:44 -07:00
wsauth_middleware_test.go fix: require workspace auth on DELETE /secrets/:key (#170) 2026-04-15 17:42:08 +00:00
wsauth_middleware.go fix(security): protect global secrets routes with AdminAuth middleware (Cycle 7) 2026-04-14 06:33:22 +00:00