forked from farhoodlabs/paperclip
Dotta
9c29394f4d
## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies. > - Paperclip Cloud imports local company data into tenant Paperclip stacks through trusted server-to-server calls. > - Tenant imports authenticate as board actors with `source: "cloud_tenant"` because they act on behalf of an authorized stack user. > - The board mutation guard correctly protects browser session mutations with trusted `Origin`/`Referer` checks. > - But the guard treated trusted Cloud tenant calls like browser session mutations, so server-to-server imports without a browser origin failed with `403 Board mutation requires trusted browser origin`. > - This pull request exempts trusted Cloud tenant actors from browser-origin enforcement while preserving the session-backed browser guard. > - The benefit is that authorized Cloud imports can persist into tenant Paperclip storage without weakening browser CSRF protections. ## What Changed - Allow `req.actor.source === "cloud_tenant"` through `boardMutationGuard` without requiring browser `Origin` or `Referer` headers. - Add a focused regression test for Cloud tenant POST mutations without an origin. - Preserve the existing session-backed rejection test for board mutations that lack a trusted browser origin. ## Verification - `pnpm exec vitest run server/src/__tests__/board-mutation-guard.test.ts` - Result: 10 tests passed. ## Risks - Low risk: this only expands the existing non-browser exemption list to trusted Cloud tenant actors that have already passed tenant-server-token authentication. - The browser-session path remains covered by the existing rejection test, so missing-origin browser mutations still fail. > For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and discuss it in `#dev` before opening the PR. Feature PRs that overlap with planned core work may need to be redirected — check the roadmap first. See `CONTRIBUTING.md`. ## Model Used - OpenAI Codex, GPT-5 coding agent, tool-enabled local repository editing and shell verification. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge
150 lines
4.6 KiB
TypeScript
150 lines
4.6 KiB
TypeScript
import { describe, expect, it, vi } from "vitest";
|
|
import express from "express";
|
|
import request from "supertest";
|
|
import { boardMutationGuard } from "../middleware/board-mutation-guard.js";
|
|
|
|
function createApp(
|
|
actorType: "board" | "agent",
|
|
boardSource: "session" | "local_implicit" | "board_key" | "cloud_tenant" = "session",
|
|
) {
|
|
const app = express();
|
|
app.use(express.json());
|
|
app.use((req, _res, next) => {
|
|
req.actor = actorType === "board"
|
|
? { type: "board", userId: "board", source: boardSource }
|
|
: { type: "agent", agentId: "agent-1" };
|
|
next();
|
|
});
|
|
app.use(boardMutationGuard());
|
|
app.post("/mutate", (_req, res) => {
|
|
res.status(204).end();
|
|
});
|
|
app.get("/read", (_req, res) => {
|
|
res.status(204).end();
|
|
});
|
|
return app;
|
|
}
|
|
|
|
describe("boardMutationGuard", () => {
|
|
it("allows safe methods for board actor", async () => {
|
|
const app = createApp("board");
|
|
const res = await request(app).get("/read");
|
|
expect([200, 204]).toContain(res.status);
|
|
});
|
|
|
|
it("blocks board mutations without trusted origin", () => {
|
|
const middleware = boardMutationGuard();
|
|
const req = {
|
|
method: "POST",
|
|
actor: { type: "board", userId: "board", source: "session" },
|
|
header: () => undefined,
|
|
} as any;
|
|
const res = {
|
|
status: vi.fn().mockReturnThis(),
|
|
json: vi.fn(),
|
|
} as any;
|
|
const next = vi.fn();
|
|
|
|
middleware(req, res, next);
|
|
|
|
expect(next).not.toHaveBeenCalled();
|
|
expect(res.status).toHaveBeenCalledWith(403);
|
|
expect(res.json).toHaveBeenCalledWith({
|
|
error: "Board mutation requires trusted browser origin",
|
|
});
|
|
});
|
|
|
|
it("allows local implicit board mutations without origin", async () => {
|
|
const app = createApp("board", "local_implicit");
|
|
const res = await request(app).post("/mutate").send({ ok: true });
|
|
expect([200, 204]).toContain(res.status);
|
|
});
|
|
|
|
it("allows board bearer-key mutations without origin", async () => {
|
|
const app = createApp("board", "board_key");
|
|
const res = await request(app).post("/mutate").send({ ok: true });
|
|
expect([200, 204]).toContain(res.status);
|
|
});
|
|
|
|
it("allows trusted Cloud tenant mutations without origin", async () => {
|
|
const app = createApp("board", "cloud_tenant");
|
|
const res = await request(app).post("/mutate").send({ ok: true });
|
|
expect([200, 204]).toContain(res.status);
|
|
});
|
|
|
|
it("allows board mutations from trusted origin", async () => {
|
|
const app = createApp("board");
|
|
const res = await request(app)
|
|
.post("/mutate")
|
|
.set("Origin", "http://localhost:3100")
|
|
.send({ ok: true });
|
|
expect([200, 204]).toContain(res.status);
|
|
});
|
|
|
|
it("allows board mutations from trusted referer origin", async () => {
|
|
const app = createApp("board");
|
|
const res = await request(app)
|
|
.post("/mutate")
|
|
.set("Referer", "http://localhost:3100/issues/abc")
|
|
.send({ ok: true });
|
|
expect([200, 204]).toContain(res.status);
|
|
});
|
|
|
|
it("allows board mutations when x-forwarded-host matches origin", async () => {
|
|
const app = createApp("board");
|
|
const res = await request(app)
|
|
.post("/mutate")
|
|
.set("Host", "127.0.0.1")
|
|
.set("X-Forwarded-Host", "10.90.10.20:3443")
|
|
.set("Origin", "https://10.90.10.20:3443")
|
|
.send({ ok: true });
|
|
expect([200, 204]).toContain(res.status);
|
|
});
|
|
|
|
it("blocks board mutations when x-forwarded-host does not match origin", async () => {
|
|
const middleware = boardMutationGuard();
|
|
const req = {
|
|
method: "POST",
|
|
actor: { type: "board", userId: "board", source: "session" },
|
|
header: (name: string) => {
|
|
if (name === "host") return "127.0.0.1";
|
|
if (name === "x-forwarded-host") return "10.90.10.20:3443";
|
|
if (name === "origin") return "https://evil.example.com";
|
|
return undefined;
|
|
},
|
|
} as any;
|
|
const res = {
|
|
status: vi.fn().mockReturnThis(),
|
|
json: vi.fn(),
|
|
} as any;
|
|
const next = vi.fn();
|
|
|
|
middleware(req, res, next);
|
|
|
|
expect(next).not.toHaveBeenCalled();
|
|
expect(res.status).toHaveBeenCalledWith(403);
|
|
expect(res.json).toHaveBeenCalledWith({
|
|
error: "Board mutation requires trusted browser origin",
|
|
});
|
|
});
|
|
|
|
it("does not block authenticated agent mutations", async () => {
|
|
const middleware = boardMutationGuard();
|
|
const req = {
|
|
method: "POST",
|
|
actor: { type: "agent", agentId: "agent-1" },
|
|
header: () => undefined,
|
|
} as any;
|
|
const res = {
|
|
status: vi.fn().mockReturnThis(),
|
|
json: vi.fn(),
|
|
} as any;
|
|
const next = vi.fn();
|
|
|
|
middleware(req, res, next);
|
|
|
|
expect(next).toHaveBeenCalledOnce();
|
|
expect(res.status).not.toHaveBeenCalled();
|
|
});
|
|
});
|