Molecule AI DevOps Engineer
aa38fc55ed
Backend Engineer's PR #729 introduces ADMIN_TOKEN — when set, only that value is accepted on /admin/* and /approvals/* routes, replacing the vulnerable workspace-bearer fallback. Without the env var wired into deployments the fix is code-only and the vulnerability stays open in every running instance. Changes: - `docker-compose.yml`: adds ADMIN_TOKEN env var to the platform service (blank default = backward-compat fallback, i.e. still vulnerable until set). NOTE: docker-compose.infra.yml has no platform service — the platform lives only in the full-stack docker-compose.yml, so that is the correct file. - `.env.example`: documents ADMIN_TOKEN with generation instructions and a clear warning that it must be set to close #684. - `infra/scripts/setup.sh`: prints a visible warning when ADMIN_TOKEN is unset so operators know the vulnerability is still open in that deployment. - `CLAUDE.md`: adds ADMIN_TOKEN to the env vars reference section. No Go code changed — go build ./... passes clean. Part of fix for #684 / PR #729 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
57 lines
2.1 KiB
Bash
Executable File
57 lines
2.1 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
ROOT_DIR="$(cd "$SCRIPT_DIR/../.." && pwd)"
|
|
|
|
echo "==> Ensuring shared docker network exists..."
|
|
docker network create molecule-monorepo-net 2>/dev/null || true
|
|
|
|
echo "==> Starting infrastructure..."
|
|
docker compose -f "$ROOT_DIR/docker-compose.infra.yml" up -d
|
|
|
|
echo "==> Waiting for Postgres..."
|
|
until docker compose -f "$ROOT_DIR/docker-compose.infra.yml" exec -T postgres pg_isready -U "${POSTGRES_USER:-dev}" 2>/dev/null; do
|
|
sleep 1
|
|
done
|
|
echo " Postgres is ready."
|
|
|
|
echo "==> Waiting for Redis..."
|
|
until docker compose -f "$ROOT_DIR/docker-compose.infra.yml" exec -T redis redis-cli ping 2>/dev/null | grep -q PONG; do
|
|
sleep 1
|
|
done
|
|
echo " Redis is ready."
|
|
|
|
echo "==> Verifying Redis KEA config..."
|
|
KEA=$(docker compose -f "$ROOT_DIR/docker-compose.infra.yml" exec -T redis redis-cli config get notify-keyspace-events | tail -1)
|
|
echo " notify-keyspace-events = $KEA"
|
|
|
|
echo "==> Running migrations..."
|
|
MIGRATIONS_DIR="$ROOT_DIR/platform/migrations"
|
|
if [ -d "$MIGRATIONS_DIR" ]; then
|
|
for f in "$MIGRATIONS_DIR"/*.sql; do
|
|
echo " Applying $(basename "$f")..."
|
|
docker compose -f "$ROOT_DIR/docker-compose.infra.yml" exec -T postgres \
|
|
psql -U "${POSTGRES_USER:-dev}" -d "${POSTGRES_DB:-molecule}" -f - < "$f"
|
|
done
|
|
echo " Migrations complete."
|
|
else
|
|
echo " No migrations directory found, skipping."
|
|
fi
|
|
|
|
echo "==> Infrastructure ready!"
|
|
echo " Postgres: localhost:5432"
|
|
echo " Redis: localhost:6379"
|
|
echo " Langfuse: localhost:3001"
|
|
|
|
# Security check — issue #684 (AdminAuth bearer bypass, PR #729).
|
|
# Without ADMIN_TOKEN, any valid workspace bearer token can call /admin/* routes.
|
|
if [ -z "${ADMIN_TOKEN:-}" ]; then
|
|
echo ""
|
|
echo " ⚠ WARNING: ADMIN_TOKEN is not set."
|
|
echo " Until it is, AdminAuth falls back to accepting any workspace bearer token"
|
|
echo " — the #684 vulnerability is NOT closed in this deployment."
|
|
echo " Generate one: openssl rand -base64 32"
|
|
echo " Then export ADMIN_TOKEN=<value> or add it to your .env before starting the platform."
|
|
fi
|