molecule-ai/molecule-core
41
0
Fork 2
Code Issues 103 Pull Requests 144 Actions 127 Packages Projects Releases Wiki Activity
c84171df72
molecule-core/platform/internal/router
History
Molecule AI Backend Engineer c84171df72 fix(security): add AdminAuth to /admin/workspaces/:id/test-token route 
Without middleware, any caller on a non-production instance could mint a
bearer token for any workspace UUID with no authentication. AdminAuth is
defence-in-depth: on a fresh install (no tokens yet) it is fail-open so
the bootstrap path still works; once the first workspace enrolls a token
all callers must present a valid bearer.

Adds two router-level tests confirming the gate:
- TestTestTokenRoute_RequiresAdminAuth_WhenTokensExist → 401 with no header
- TestTestTokenRoute_FailOpenOnFreshInstall → 200 (bootstrap path intact)

Env-var gating inside GetTestToken is retained as a second layer.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-17 02:48:00 +00:00
..
admin_test_token_route_test.go fix(security): add AdminAuth to /admin/workspaces/:id/test-token route 2026-04-17 02:48:00 +00:00
canvas_proxy_test.go fix(test): wrap httptest.ResponseRecorder with CloseNotify for canvas proxy tests 2026-04-16 05:40:17 -07:00
canvas_proxy.go fix(security): strip Authorization + Cookie headers in canvas reverse proxy (closes #451) 2026-04-16 11:00:43 +00:00
router.go fix(security): add AdminAuth to /admin/workspaces/:id/test-token route 2026-04-17 02:48:00 +00:00