Skip to content

fix: require serve token + loopback Host on API endpoints (M-15)#72

Merged
jkyberneees merged 1 commit into
mainfrom
fix/m15-api-auth-dns-rebinding
Jul 18, 2026
Merged

fix: require serve token + loopback Host on API endpoints (M-15)#72
jkyberneees merged 1 commit into
mainfrom
fix/m15-api-auth-dns-rebinding

Conversation

@jkyberneees

Copy link
Copy Markdown
Contributor

Closes M-15.

Changes:

  • Add requireServeToken and requireLocalHost middleware in cmd/odek/serve.go.
  • Wrap every /api/* handler with token check, loopback Host validation, and existing local-Origin CSRF protection.
  • Add validateServeTokenHTTP for HTTP requests (cookie + X-Odek-Ws-Token header).
  • Update buildServeMux and buildServeMuxWithSessionByID test helpers to mirror production auth.
  • Update existing E2E tests that hit API endpoints to supply the serve token.
  • Update cmd/odek/ui/app.js to send X-Odek-Ws-Token on all API fetch calls.
  • Add regression tests for missing token, foreign Host, valid header, and valid cookie.
  • Update AGENTS.md and docs/SECURITY.md.

Tested with go test ./... -count=1.

@jkyberneees
jkyberneees merged commit 6bd7c3e into main Jul 18, 2026
5 of 7 checks passed
@jkyberneees
jkyberneees deleted the fix/m15-api-auth-dns-rebinding branch July 18, 2026 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant