b4cd78729d
* fix(platform-go-ci): align test mocks with schema drift + org_id context contract
Reduces Platform (Go) CI failures from 12 to 2 (both remaining are pre-existing
on origin/main and unrelated to this PR's scope).
Schema drift fixes (sqlmock column counts misaligned with current prod Scans):
- `orgtoken/tokens_test.go`: Validate query gained `org_id` column post-migration
036 — updated 3 TestValidate_* tests from 2-col to 3-col ExpectQuery.
- `handlers/handlers_test.go` + `_additional_test.go`: `scanWorkspaceRow` now
has 21 cols (`max_concurrent_tasks` inserted between `active_tasks` and
`last_error_rate`). Updated TestWorkspaceList, TestWorkspaceList_WithData,
and TestWorkspaceGet_CurrentTask mocks.
- `handlers/handlers_test.go`: activity scan now has 14 cols (`tool_trace`
between `response_body` and `duration_ms`). Updated 5 TestActivityHandler_*
tests (List, ListByType, ListEmpty, ListCustomLimit, ListMaxLimit).
Middleware org_id contract (7 failing tests → passing, zero prod callers):
- `middleware/wsauth_middleware.go`: WorkspaceAuth and AdminAuth now set the
`org_id` context key only when the token has a non-NULL org_id. This lets
downstream handlers use `c.Get("org_id")` existence to distinguish anchored
tokens from pre-migration/ADMIN_TOKEN bootstrap tokens. Grep confirmed no
current prod callers read this key — tests were the sole spec.
- `middleware/wsauth_middleware_test.go` + `_org_id_test.go`: consolidated
separate primary+secondary ExpectQuery blocks into a single 3-col mock
per test, and dropped the now-unused `orgTokenOrgIDQuery` constant.
Other:
- `handlers/github_token_test.go`: TestGitHubToken_NoTokenProvider now asserts
500 + "token refresh failed" (env-based fallback path added in #960/#1101).
Added missing `strings` import.
- `handlers/handlers_additional_test.go`: TestRegister_ProvisionerURLPreserved
URL changed from `http://agent:8000` to `http://localhost:8000` — `agent` is
not DNS-resolvable in CI and is rejected by validateAgentURL's SSRF check;
`localhost` is name-exempt. The contract under test is provisioner-URL
precedence, not URL validation.
Methodology (per quality mandate):
- Baselined 12 failing tests on clean origin/main before any edit.
- For each fix: grep'd prod for semantic contract, made minimal edits,
verified full-suite delta = zero regressions.
- Discovered +5 pre-existing failures previously masked by TestWorkspaceList
panic (which killed the test binary on origin/main before downstream tests
ran). 3 of these are in this PR's bug class and were fixed; 2 are unrelated
(a panicking test with a missing Request and a missing template file) —
deferred to a follow-up issue.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* chore: trigger CI after base retarget to main
* fix(platform-go-ci): stop TestRequireCallerOwnsOrg_NotOrgTokenCaller panic + skip yaml-includes test
Reduces Platform (Go) CI failures from 2 to 1 on this branch.
- `TestRequireCallerOwnsOrg_NotOrgTokenCaller`: the test's comment says
"set to a non-string type" but the code stored the string "something",
which passed the `tokenID.(string)` assertion in requireCallerOwnsOrg
and triggered a DB lookup on a bare gin test context (no Request) →
nil-deref in c.Request.Context(). Fixed by storing an int (12345), which
matches the stated intent of exercising the non-string-assertion branch.
- `TestResolveYAMLIncludes_RealMoleculeDev`: the in-tree copy at
/org-templates/molecule-dev/ is being extracted to the standalone
Molecule-AI/molecule-ai-org-template-molecule-dev repo. Until that
extraction lands the in-tree copy is stale (teams/dev.yaml !include's
core-platform.yaml etc. that don't exist). Skipped with a pointer to
the extraction so this doesn't rot.
Remaining failure: `TestRequireCallerOwnsOrg_TokenHasMatchingOrgID` panics
with the same root cause (bare gin context + string org_token_id → DB
lookup → nil-deref). Fixing it by adding a Request would unmask ~25 other
pre-existing hidden failures (schema drift, DNS-dependent tests, mock
drift) that were being masked by the earlier panic killing the test
binary. Those belong to a dedicated cleanup PR; the panic-chain triage
is tracked separately.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(platform-go-ci): eliminate remaining 25 cascade failures + harden auth
Takes Platform (Go) CI from 1 remaining failure (post–first pass) to 0.
Fixing `TestRequireCallerOwnsOrg_NotOrgTokenCaller`'s panic unmasked ~25
pre-existing handler-package failures that were silently hidden because
the panic killed the test binary mid-run. All are now fixed.
## Prod change
`org_plugin_allowlist.go#requireOrgOwnership` now denies unanchored
org-tokens (org_id NULL in DB) instead of treating them as session/admin.
The stated contract in `requireCallerOwnsOrg`'s comment already said
"those callers get callerOrg="" and are denied"; the downstream check
was the gap. Distinguishes the two `callerOrg == ""` paths by reading
`c.Get("org_token_id")` — key present → unanchored token → deny;
absent → session/ADMIN_TOKEN → allow.
## Tests fixed by class
**Request-less test-context panic** (7 tests, `org_plugin_allowlist_test.go`):
added `httptest.NewRequest(...)` to each bare `gin.CreateTestContext` so
the DB path in `requireCallerOwnsOrg` can read `c.Request.Context()`
without nil-deref.
**Workspace scan drift — `max_concurrent_tasks` 21st column** (8 tests):
- `TestWorkspaceGet_Success`, `_FinancialFieldsStripped`, `_SensitiveFieldsStripped`
- `TestWorkspaceBudget_Get_NilLimit`, `_WithLimit` (+ shared `wsColumns`)
- `TestWorkspaceBudget_A2A_UnderLimitPassesThrough`, `_NilLimitPassesThrough`,
`_DBErrorFailOpen` — each also needed `allowLoopbackForTest(t)` because
the SSRF guard now blocks `httptest.NewServer`'s 127.0.0.1 URL.
**Org-token INSERT param drift — added `org_id` 5th param** (5 tests,
`org_tokens_test.go`): `TestOrgTokenHandler_Create_*` (4) get a 5th
`nil` `WithArgs` arg; `TestOrgTokenHandler_List_HappyPath` gets `org_id`
as the 4th column in its mock row.
**ReplaceFiles/WriteFile restart-cascade SELECT shape change** (3 tests,
`template_import_test.go` + `templates_test.go`): handler now selects
`name, instance_id, runtime` for the post-write restart cascade — tests
now pin the full 3-column shape instead of just `SELECT name`.
**GitHub webhook forwarding** (2 tests, `webhooks_test.go`): added
`allowLoopbackForTest(t)` — same SSRF-guard / loopback-server mismatch
as the budget A2A tests.
**DNS-dependent sentinel hostname** (2 tests): `TestIsSafeURL/public_*`
+ `TestValidateAgentURL/valid_public_*` used `agent.example.com` which
is NXDOMAIN on most resolvers; switched to `example.com` itself (RFC-2606,
resolves globally via Cloudflare Anycast).
**Register C18 hijack assertion** (`registry_test.go`): attacker URL
was `attacker.example.com` (NXDOMAIN) → `validateAgentURL` rejected
with 400 before the C18 auth gate could fire 401. Switched to
`example.com` so the test actually exercises the C18 gate.
**Plugin install error vocabulary** (`plugins_test.go`): handler now
returns generic "invalid plugin source" instead of leaking the internal
`ParseSource` "empty spec" string to the HTTP surface. Test assertion
updated; "empty spec" still covered at the unit level in `plugins/source_test.go`.
**seedInitialMemories tests tripping redactSecrets** (3 tests,
`workspace_provision_test.go`): content was `strings.Repeat("X", N)`
which matches the BASE64_BLOB redactor (33+ chars of `[A-Za-z0-9+/]`)
and got replaced with `[REDACTED:BASE64_BLOB]` before INSERT, making
the `WithArgs` assertion mismatch. Switched to a space-containing
`"hello world "` pattern that breaks the run. Also fixed an unrelated
pre-existing bug in `TestSeedInitialMemories_Truncation` where
`copy([]byte(largeContent), "X")` was a no-op (strings are immutable
in Go — the copy modified a throwaway slice).
Net: Platform (Go) handlers package is now fully green on `go test -race`.
Unblocks PRs #1738, #1743, and any future handlers-package work that was
inheriting the 12→25 baseline.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Hongming Wang <hongmingwang.rabbit@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
367 lines
14 KiB
Go
367 lines
14 KiB
Go
package middleware
|
|
|
|
import (
|
|
"crypto/subtle"
|
|
"database/sql"
|
|
"errors"
|
|
"log"
|
|
"net/http"
|
|
"os"
|
|
"strings"
|
|
|
|
"github.com/Molecule-AI/molecule-monorepo/platform/internal/orgtoken"
|
|
"github.com/Molecule-AI/molecule-monorepo/platform/internal/wsauth"
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
// WorkspaceAuth returns a Gin middleware that enforces per-workspace bearer-token
|
|
// authentication on /workspaces/:id/* sub-routes.
|
|
//
|
|
// Strict: every request MUST carry Authorization: Bearer <token> matching a
|
|
// live (non-revoked) token for the workspace. No grace period, no fail-open.
|
|
//
|
|
// History: originally this middleware had a lazy-bootstrap grace period for
|
|
// pre-Phase-30.1 workspaces without a live token, so rolling upgrades didn't
|
|
// brick in-flight agents. #318 tightened the fake-UUID leak (non-existent
|
|
// workspace IDs were falling through). #351 then showed the remaining hole:
|
|
// test-artifact workspaces from prior DAST runs still exist in the DB with
|
|
// empty configs and no tokens, so they pass WorkspaceExists + fall through
|
|
// the grace period — leaking global-secret key names to any unauth caller on
|
|
// the Docker network. Phase 30.1 shipped months ago; every live workspace has
|
|
// since gone through multiple boot cycles and acquired a token. The grace
|
|
// period no longer serves legitimate traffic. Removing it entirely closes
|
|
// #351 without affecting registration (which is on /registry/register,
|
|
// outside this middleware's scope).
|
|
//
|
|
// Intended for route groups that cover all /workspaces/:id/* paths.
|
|
// The /workspaces/:id/a2a route must be registered on the root router (outside
|
|
// this group) because it already authenticates callers via CanCommunicate.
|
|
func WorkspaceAuth(database *sql.DB) gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
workspaceID := c.Param("id")
|
|
if workspaceID == "" {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "missing workspace ID"})
|
|
return
|
|
}
|
|
ctx := c.Request.Context()
|
|
|
|
tok := wsauth.BearerTokenFromHeader(c.GetHeader("Authorization"))
|
|
if tok != "" {
|
|
// Admin token fallback — lets the canvas dashboard read workspace
|
|
// activity, traces, delegations with a single admin credential.
|
|
adminSecret := os.Getenv("ADMIN_TOKEN")
|
|
if adminSecret != "" && subtle.ConstantTimeCompare([]byte(tok), []byte(adminSecret)) == 1 {
|
|
c.Next()
|
|
return
|
|
}
|
|
// Org-scoped API token — user-minted from canvas UI. Grants
|
|
// access to EVERY workspace in the org (that's the explicit
|
|
// product spec: one org key can touch each workspace). Same
|
|
// power surface as ADMIN_TOKEN but named, revocable, audited.
|
|
// Check before per-workspace token so an org-key presenter
|
|
// doesn't hit the narrower ValidateToken failure path.
|
|
if id, prefix, orgID, err := orgtoken.Validate(ctx, database, tok); err == nil {
|
|
c.Set("org_token_id", id)
|
|
c.Set("org_token_prefix", prefix)
|
|
// org_id may be "" for pre-migration tokens (NULL column).
|
|
// Don't set the context key in that case so downstream callers
|
|
// can distinguish "unanchored token" (exists==false) from
|
|
// "anchored to this org" (exists==true, value non-empty).
|
|
if orgID != "" {
|
|
c.Set("org_id", orgID)
|
|
}
|
|
c.Next()
|
|
return
|
|
} else if !errors.Is(err, orgtoken.ErrInvalidToken) {
|
|
log.Printf("wsauth: WorkspaceAuth: orgtoken.Validate: %v", err)
|
|
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "auth check failed"})
|
|
return
|
|
}
|
|
// Per-workspace token — narrowest scope, bound to this :id.
|
|
if err := wsauth.ValidateToken(ctx, database, workspaceID, tok); err != nil {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid workspace auth token"})
|
|
return
|
|
}
|
|
c.Next()
|
|
return
|
|
}
|
|
// Same-origin canvas on tenant image — Referer matches Host.
|
|
if isSameOriginCanvas(c) {
|
|
c.Next()
|
|
return
|
|
}
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "missing workspace auth token"})
|
|
return
|
|
}
|
|
}
|
|
|
|
// AdminAuth returns a Gin middleware for global/admin routes (e.g.
|
|
// /settings/secrets, /admin/secrets) that have no per-workspace scope.
|
|
//
|
|
// # Credential tier (evaluated in order)
|
|
//
|
|
// 1. Lazy-bootstrap fail-open: if no live workspace token exists anywhere on
|
|
// the platform (fresh install / pre-Phase-30 upgrade), every request passes
|
|
// through so existing deployments keep working.
|
|
//
|
|
// 2. ADMIN_TOKEN env var (recommended, closes #684): when set, the bearer
|
|
// MUST equal this value exactly (constant-time comparison). Workspace
|
|
// bearer tokens are intentionally rejected even if valid — a compromised
|
|
// workspace agent must not be able to read global secrets, steal GitHub App
|
|
// installation tokens, or enumerate pending approvals across the platform.
|
|
// Set ADMIN_TOKEN to a strong random secret (e.g. openssl rand -base64 32).
|
|
//
|
|
// 3. Fallback — workspace token (deprecated, backward-compat): when
|
|
// ADMIN_TOKEN is not set and workspace tokens do exist globally, any valid
|
|
// workspace bearer token is still accepted. This preserves existing
|
|
// behaviour for deployments that have not yet configured ADMIN_TOKEN, but
|
|
// it leaves the blast-radius isolation gap described in #684 open. Set
|
|
// ADMIN_TOKEN to eliminate this fallback.
|
|
//
|
|
// NOTE: canvasOriginAllowed / isSameOriginCanvas are intentionally NOT called
|
|
// here. The Origin header is trivially forgeable by any container on the
|
|
// Docker network; using it as an auth bypass would let an attacker reach
|
|
// /settings/secrets, /bundles/import, /events, etc. without a bearer token.
|
|
// Those short-circuits belong ONLY in CanvasOrBearer (cosmetic routes). (#623)
|
|
func AdminAuth(database *sql.DB) gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
ctx := c.Request.Context()
|
|
adminSecret := os.Getenv("ADMIN_TOKEN")
|
|
|
|
hasLive, err := wsauth.HasAnyLiveTokenGlobal(ctx, database)
|
|
if err != nil {
|
|
log.Printf("wsauth: AdminAuth: HasAnyLiveTokenGlobal failed: %v", err)
|
|
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "auth check failed"})
|
|
return
|
|
}
|
|
if !hasLive {
|
|
// Tier 1: fail-open is ONLY safe when ADMIN_TOKEN is unset
|
|
// (self-hosted dev, pre-Phase-30 upgrade). Hosted SaaS always
|
|
// sets ADMIN_TOKEN at provision time, and C4 (SaaS-launch
|
|
// blocker) showed that without this guard an attacker can
|
|
// pre-empt the first user by POSTing /org/import before any
|
|
// token gets minted. When ADMIN_TOKEN is set we fall through
|
|
// into the same bearer-check path Tier-2 uses below.
|
|
if adminSecret == "" {
|
|
c.Next()
|
|
return
|
|
}
|
|
}
|
|
|
|
// SaaS-canvas path: when the request carries a WorkOS session
|
|
// cookie AND the CP confirms it's valid, accept without a
|
|
// bearer. This is how the tenant's Next.js canvas UI
|
|
// authenticates — the browser has a session cookie scoped
|
|
// to .moleculesai.app, and we verify it upstream against
|
|
// /cp/auth/me (short-cached; see verifiedCPSession).
|
|
//
|
|
// Only runs when CP_UPSTREAM_URL is set (prod SaaS); self-
|
|
// hosted / dev deploys without a CP fall through to the
|
|
// bearer-only path unchanged.
|
|
if cookieHeader := c.GetHeader("Cookie"); cookieHeader != "" {
|
|
if ok, _ := verifiedCPSession(cookieHeader); ok {
|
|
c.Next()
|
|
return
|
|
}
|
|
// Cookie presented but invalid: fall through to the
|
|
// bearer-check path, which will 401. We do NOT abort
|
|
// here so molecli / CLI users with both a cookie and
|
|
// a stale cookie + valid bearer still pass.
|
|
}
|
|
|
|
// Bearer token is the ONLY accepted credential for admin routes.
|
|
tok := wsauth.BearerTokenFromHeader(c.GetHeader("Authorization"))
|
|
if tok == "" {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "admin auth required"})
|
|
return
|
|
}
|
|
|
|
// Tier 2a: org-scoped API tokens (user-minted via canvas UI).
|
|
// Precedes the ADMIN_TOKEN check because these are the
|
|
// tokens users actually manage — named, revocable, audited.
|
|
// ADMIN_TOKEN is the bootstrap/break-glass credential that
|
|
// still works but is NOT visible through the UI. Both grant
|
|
// the same access surface (full org admin); the tier split
|
|
// is about provenance + rotation, not privilege.
|
|
//
|
|
// Validate() runs ONE indexed lookup (token_hash partial
|
|
// index with revoked_at IS NULL) + an async last_used_at
|
|
// bump. Cost per request: one SELECT + one UPDATE, both
|
|
// hitting the same narrow partial index.
|
|
if id, prefix, orgID, err := orgtoken.Validate(ctx, database, tok); err == nil {
|
|
c.Set("org_token_id", id)
|
|
c.Set("org_token_prefix", prefix)
|
|
// Conditional set — see WorkspaceAuth branch above for rationale.
|
|
if orgID != "" {
|
|
c.Set("org_id", orgID)
|
|
}
|
|
c.Next()
|
|
return
|
|
} else if !errors.Is(err, orgtoken.ErrInvalidToken) {
|
|
// DB error — fail closed and log. Don't expose DB text.
|
|
log.Printf("wsauth: AdminAuth: orgtoken.Validate: %v", err)
|
|
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "auth check failed"})
|
|
return
|
|
}
|
|
|
|
// Tier 2b (#684 fix): dedicated ADMIN_TOKEN — workspace bearer tokens
|
|
// must not grant access to admin routes.
|
|
if adminSecret != "" {
|
|
if subtle.ConstantTimeCompare([]byte(tok), []byte(adminSecret)) != 1 {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid admin auth token"})
|
|
return
|
|
}
|
|
c.Next()
|
|
return
|
|
}
|
|
|
|
// Tier 3 (deprecated): ADMIN_TOKEN not configured — fall back to any
|
|
// valid workspace token. Operators should set ADMIN_TOKEN to close #684.
|
|
if err := wsauth.ValidateAnyToken(ctx, database, tok); err != nil {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid admin auth token"})
|
|
return
|
|
}
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
// CanvasOrBearer is a softer admin-auth variant used ONLY for cosmetic
|
|
// canvas routes where forging the request has zero security impact (PUT
|
|
// /canvas/viewport: worst case an attacker resets the shared viewport
|
|
// position, user refreshes the page, problem solved).
|
|
//
|
|
// Accepts either:
|
|
//
|
|
// 1. A valid bearer token (same contract as AdminAuth) — covers molecli,
|
|
// agent-to-platform calls, and anyone using the API directly.
|
|
// 2. A browser Origin header that matches CORS_ORIGINS (canvas itself).
|
|
// This is NOT a strict auth boundary — curl can forge Origin — but for
|
|
// cosmetic-only routes the trade-off is acceptable. Non-cosmetic routes
|
|
// MUST NOT use this middleware (see #194 review on why it would re-open
|
|
// #164 CRITICAL if applied to /bundles/import).
|
|
//
|
|
// Lazy-bootstrap fail-open preserved: zero-token installs pass everything
|
|
// through so fresh self-hosted / dev sessions aren't bricked.
|
|
func CanvasOrBearer(database *sql.DB) gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
ctx := c.Request.Context()
|
|
|
|
hasLive, err := wsauth.HasAnyLiveTokenGlobal(ctx, database)
|
|
if err != nil {
|
|
log.Printf("wsauth: CanvasOrBearer HasAnyLiveTokenGlobal failed: %v — allowing request", err)
|
|
c.Next()
|
|
return
|
|
}
|
|
if !hasLive {
|
|
c.Next()
|
|
return
|
|
}
|
|
|
|
// Path 1: bearer present → bearer MUST validate. Do not fall through
|
|
// to Origin on an invalid bearer — an attacker with a revoked /
|
|
// expired token + a matching Origin would otherwise bypass auth.
|
|
// Empty bearer → skip to Origin path (canvas never sends one).
|
|
if tok := wsauth.BearerTokenFromHeader(c.GetHeader("Authorization")); tok != "" {
|
|
// Admin token accepted for canvas dashboard
|
|
adminSecret := os.Getenv("ADMIN_TOKEN")
|
|
if adminSecret != "" && subtle.ConstantTimeCompare([]byte(tok), []byte(adminSecret)) == 1 {
|
|
c.Next()
|
|
return
|
|
}
|
|
if err := wsauth.ValidateAnyToken(ctx, database, tok); err != nil {
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid admin auth token"})
|
|
return
|
|
}
|
|
c.Next()
|
|
return
|
|
}
|
|
|
|
// Path 2: canvas origin match (cross-origin canvas).
|
|
if canvasOriginAllowed(c.GetHeader("Origin")) {
|
|
c.Next()
|
|
return
|
|
}
|
|
|
|
// Path 3: same-origin canvas (tenant image).
|
|
if isSameOriginCanvas(c) {
|
|
c.Next()
|
|
return
|
|
}
|
|
|
|
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "admin auth required"})
|
|
}
|
|
}
|
|
|
|
// canvasOriginAllowed returns true if origin matches any entry in the
|
|
// CORS_ORIGINS env var (comma-separated) or the localhost defaults.
|
|
// Exact-match only; no prefix or wildcard logic — that's handled by the
|
|
// real CORS middleware upstream. The intent here is "did this request come
|
|
// from the canvas page the user is already logged into?" — a binary check.
|
|
func canvasOriginAllowed(origin string) bool {
|
|
if origin == "" {
|
|
return false
|
|
}
|
|
allowed := []string{"http://localhost:3000", "http://localhost:3001"}
|
|
if v := os.Getenv("CORS_ORIGINS"); v != "" {
|
|
for _, o := range strings.Split(v, ",") {
|
|
if o = strings.TrimSpace(o); o != "" {
|
|
allowed = append(allowed, o)
|
|
}
|
|
}
|
|
}
|
|
for _, a := range allowed {
|
|
if a == origin {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// isSameOriginCanvas returns true when the request appears to come from the
|
|
// canvas UI served by the same Go process (tenant image). In this topology,
|
|
// the browser sends same-origin requests with an empty Origin header but a
|
|
// Referer matching the request Host. We accept these requests because the
|
|
// canvas is the trusted frontend — same as if Origin matched CORS_ORIGINS.
|
|
//
|
|
// This only fires when CANVAS_PROXY_URL is set (i.e. the combined tenant
|
|
// image is active), so self-hosted / dev setups with separate canvas and
|
|
// platform origins are unaffected.
|
|
// canvasProxyActive is true when the platform runs as a combined tenant
|
|
// image (CANVAS_PROXY_URL set at boot). Cached once to avoid os.Getenv
|
|
// on every request.
|
|
var canvasProxyActive = os.Getenv("CANVAS_PROXY_URL") != ""
|
|
|
|
// IsSameOriginCanvas is the exported version for use outside the middleware
|
|
// package (e.g. workspace.go field-level auth). Same logic as the internal
|
|
// callers in AdminAuth/WorkspaceAuth/CanvasOrBearer.
|
|
func IsSameOriginCanvas(c *gin.Context) bool {
|
|
return isSameOriginCanvas(c)
|
|
}
|
|
|
|
func isSameOriginCanvas(c *gin.Context) bool {
|
|
if !canvasProxyActive {
|
|
return false
|
|
}
|
|
host := c.Request.Host
|
|
if host == "" {
|
|
return false
|
|
}
|
|
// Check Referer first (standard browser requests).
|
|
referer := c.GetHeader("Referer")
|
|
if referer != "" {
|
|
// Referer must start with https://<host>/ or http://<host>/ (trailing
|
|
// slash required to prevent hongming-wang.moleculesai.app.evil.com from
|
|
// matching hongming-wang.moleculesai.app).
|
|
if strings.HasPrefix(referer, "https://"+host+"/") ||
|
|
strings.HasPrefix(referer, "http://"+host+"/") ||
|
|
referer == "https://"+host ||
|
|
referer == "http://"+host {
|
|
return true
|
|
}
|
|
}
|
|
// Fallback: check Origin header (WebSocket upgrade requests may not have
|
|
// Referer but always send Origin).
|
|
origin := c.GetHeader("Origin")
|
|
return origin == "https://"+host || origin == "http://"+host
|
|
}
|