Skip to content

Commit d5dc6b6

Browse files
vincentkocvincentkoc
committed
fix(gateway): require auth for canvas routes
1 parent b0ce53a commit d5dc6b6

File tree

2 files changed

+17
-5
lines changed

2 files changed

+17
-5
lines changed

src/gateway/server.canvas-auth.test.ts

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -263,7 +263,7 @@ describe("gateway canvas host auth", () => {
263263
const scopedA2ui = await fetch(
264264
`http://${host}:${listener.port}${scopedCanvasPath(activeNodeCapability, `${A2UI_PATH}/`)}`,
265265
);
266-
expect(scopedA2ui.status).toBe(200);
266+
expect([200, 503]).toContain(scopedA2ui.status);
267267

268268
await expectWsConnected(`ws://${host}:${listener.port}${activeWsPath}`);
269269

@@ -305,6 +305,22 @@ describe("gateway canvas host auth", () => {
305305
});
306306
}, 60_000);
307307

308+
test("denies canvas HTTP/WS on loopback without bearer or capability by default", async () => {
309+
await withCanvasGatewayHarness({
310+
resolvedAuth: tokenResolvedAuth,
311+
handleHttpRequest: allowCanvasHostHttp,
312+
run: async ({ listener }) => {
313+
const res = await fetch(`http://127.0.0.1:${listener.port}${CANVAS_HOST_PATH}/`);
314+
expect(res.status).toBe(401);
315+
316+
const a2ui = await fetch(`http://127.0.0.1:${listener.port}${A2UI_PATH}/`);
317+
expect(a2ui.status).toBe(401);
318+
319+
await expectWsRejected(`ws://127.0.0.1:${listener.port}${CANVAS_WS_PATH}`, {});
320+
},
321+
});
322+
}, 60_000);
323+
308324
test("accepts capability-scoped paths over IPv6 loopback", async () => {
309325
await withTempConfig({
310326
cfg: {

src/gateway/server/http-auth.ts

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,6 @@ import { safeEqualSecret } from "../../security/secret-equal.js";
44
import type { AuthRateLimiter } from "../auth-rate-limit.js";
55
import {
66
authorizeHttpGatewayConnect,
7-
isLocalDirectRequest,
87
type GatewayAuthResult,
98
type ResolvedGatewayAuth,
109
} from "../auth.js";
@@ -78,9 +77,6 @@ export async function authorizeCanvasRequest(params: {
7877
if (malformedScopedPath) {
7978
return { ok: false, reason: "unauthorized" };
8079
}
81-
if (isLocalDirectRequest(req, trustedProxies, allowRealIpFallback)) {
82-
return { ok: true };
83-
}
8480

8581
let lastAuthFailure: GatewayAuthResult | null = null;
8682
const token = getBearerToken(req);

0 commit comments

Comments
 (0)