Commit f490e5a
Issue #20 — authorization bypass for non-SA tokens:
The previous code only called authorize() when parseServiceAccountToken()
succeeded. Any other token (opaque, arbitrary JWT, malformed) fell through
the if-block without rejection and was silently proxied to the site cluster.
Fix: unrecognized token types now get an explicit 403 Forbidden.
Issue #27 — site proxy unauthenticated when kcpConfig is nil:
The entire auth block was guarded by 'if p.kcpConfig != nil', so a nil
kcpConfig (no kcp backend) allowed any non-empty bearer token through.
Fix: nil kcpConfig now returns 503 Service Unavailable immediately — the
site proxy cannot safely authorize requests without a kcp backend.
Also updated the NewVirtualWorkspaces doc comment which incorrectly stated
that nil kcpConfig is acceptable in dev mode.
Co-authored-by: Mangirdas Judeikis <mjudeikis@gmail.com>
1 parent 2cfdebd commit f490e5a
2 files changed
Lines changed: 28 additions & 10 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
65 | 65 | | |
66 | 66 | | |
67 | 67 | | |
68 | | - | |
69 | | - | |
| 68 | + | |
| 69 | + | |
70 | 70 | | |
71 | 71 | | |
72 | 72 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
63 | 63 | | |
64 | 64 | | |
65 | 65 | | |
66 | | - | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
67 | 76 | | |
68 | 77 | | |
69 | 78 | | |
70 | 79 | | |
71 | 80 | | |
72 | 81 | | |
73 | | - | |
74 | | - | |
75 | | - | |
76 | | - | |
77 | | - | |
78 | | - | |
79 | | - | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
80 | 98 | | |
81 | 99 | | |
82 | 100 | | |
| |||
0 commit comments