molecule-ai/molecule-core
35
0
Fork 2
Code Issues 22 Pull Requests 5 Actions 51 Packages Projects Releases Wiki Activity
f99d8b0a1a
molecule-core/platform/internal/middleware
History
molecule-ai[bot] 19396fc55a Merge pull request #628 from Molecule-AI/fix/issue-623-adminauth-origin-bypass 
Merge gate passed (all 7 gates). Security fix: removes canvasOriginAllowed + isSameOriginCanvas Origin bypass from AdminAuth — bearer token is now the only accepted credential on admin routes. 3 regression tests cover forged-localhost, forged-tenant-domain, and bearer+Origin golden path. Auth PR — CEO explicit approval confirmed in chat. UNSTABLE = known GitHub App token scope gap.
2026-04-17 06:13:33 +00:00
..
ratelimit_test.go fix(router): call SetTrustedProxies(nil) to close IP-spoofing bypass (#179) 2026-04-15 17:32:54 +00:00
ratelimit.go fix: #93 category_routing + #105 X-RateLimit headers 2026-04-15 00:23:46 -07:00
securityheaders_test.go fix(middleware): split CSP by route type — strict for API, permissive for canvas (#450) 2026-04-16 20:26:17 +00:00
securityheaders.go fix(middleware): split CSP by route type — strict for API, permissive for canvas (#450) 2026-04-16 20:26:17 +00:00
tenant_guard_test.go fix(auth): TenantGuard same-origin bypass for EC2 tenant Canvas 2026-04-16 18:22:23 -07:00
tenant_guard.go fix(auth): TenantGuard same-origin bypass for EC2 tenant Canvas 2026-04-16 18:22:23 -07:00
wsauth_middleware_test.go fix(security): remove canvasOriginAllowed from AdminAuth middleware (#623) 2026-04-17 06:00:45 +00:00
wsauth_middleware.go Merge pull request #628 from Molecule-AI/fix/issue-623-adminauth-origin-bypass 2026-04-17 06:13:33 +00:00