78f8391f02
PR #1885 introduced a regression: HandleConnect called wsauth.ValidateToken for any bearer token when X-Workspace-ID ≠ workspaceID. Org-scoped tokens (org_api_tokens table) are not in workspace_auth_tokens, so ValidateToken always returned ErrInvalidToken for them → hard 401 for all A2A routing that uses org tokens. Fix: if WorkspaceAuth already validated an org token (org_token_id set in gin context by orgtoken.Validate), skip the workspace_auth_tokens lookup and trust the X-Workspace-ID claim. Hierarchy enforcement via canCommunicateCheck is unchanged — org token holders are still subject to the workspace hierarchy. Workspace-scoped tokens continue to require ValidateToken binding. Invalid tokens (neither workspace-bound nor org-level) still return 401. This closes the regression while preserving the KI-005 security property. Add TestKI005_OrgToken_SkipsValidateToken to terminal_test.go as a regression guard for this exact path. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| cmd/server | ||
| internal | ||
| migrations | ||
| pkg/provisionhook | ||
| .ci-force | ||
| .gitignore | ||
| .golangci.yaml | ||
| Dockerfile | ||
| Dockerfile.tenant | ||
| entrypoint-tenant.sh | ||
| go.mod | ||
| go.sum | ||