molecule-ai/molecule-core
35
0
Fork 2
Code Issues 16 Pull Requests 2 Actions 49 Packages Projects Releases Wiki Activity
7fd217f93f
molecule-core/workspace-template/transcript_auth.py
Hongming Wang e1cdb5c9c6 fix(security): /transcript endpoint fails closed when auth token missing (#328) 
Severity HIGH. The /transcript route in main.py used `if expected:`
around the bearer-token compare, so `get_token()` returning None (no
/configs/.auth_token on disk — bootstrap window, deleted file, OSError)
silently skipped the entire auth check. Any container on
molecule-monorepo-net could GET /transcript during the provisioning
window and walk away with the full session log (user messages, Claude
tool calls, assistant replies).

The platform's TranscriptHandler always has a valid token (it acquired
one at workspace registration), so tightening this gate has no
legitimate-caller impact. Only unauthenticated sniffers lose access,
which was never the intended contract of #287.

Fix:

1. Extracted the auth gate into `workspace-template/transcript_auth.py`
   — a 20-line module with no heavy imports so the security-critical
   code is unit-testable without standing up the full uvicorn/a2a/httpx
   stack (the former inline guard could only be tested end-to-end,
   which explains why the regression shipped in #287).

2. `transcript_authorized(expected, auth_header)` returns False when
   `expected` is None or empty — the #328 fix — and otherwise does
   strict equality against "Bearer <expected>".

3. main.py's inline handler calls the extracted function:
     if not _transcript_authorized(get_token(), auth_header):
         return 401

4. New tests/test_transcript_auth.py covers: None token, empty token,
   valid bearer, wrong bearer, missing header, case-sensitive prefix,
   whitespace fuzzing. All 7 pass.

Closes #328

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 21:17:37 -07:00

31 lines
1.3 KiB
Python
Raw Blame History

"""Auth gate for the /transcript Starlette route.
Extracted from main.py so the security-critical logic is unit-testable
without standing up the full uvicorn/a2a/httpx import stack.
#328: the route must fail CLOSED when the expected token is unavailable
(bootstrap window, missing file, OSError). The previous implementation
treated a missing token as "skip auth entirely" — any container on the
same Docker network could read the session log during provisioning.
"""
def transcript_authorized(expected_token: str | None, auth_header: str) -> bool:
"""Return True iff /transcript should serve the request.
Args:
expected_token: the workspace's registered bearer token, or None
if `/configs/.auth_token` is absent / unreadable.
auth_header: raw value of the Authorization request header.
Behavior:
- None/empty expected → fail closed (401). This is the #328 fix;
a missing token file is an auth failure, not a bypass.
- Non-empty expected: strict equality check against "Bearer <tok>".
Bearer prefix is case-sensitive (matches the platform's
wsauth.BearerTokenFromHeader contract).
"""
if not expected_token:
return False
return auth_header == f"Bearer {expected_token}"
Reference in New Issue View Git Blame Copy Permalink