lazorgurl/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix harness forbidden error: use internal token instead of host check
All checks were successful
CI / lint-and-test (push) Successful in 32s
Details
Deploy Production / deploy (push) Successful in 1m20s
Details
CI / build (push) Successful in 1m55s
Details

Browse Source 
The localhost check using host header and x-forwarded-for was unreliable
in the standalone Next.js server which may inject forwarded headers
internally. Replace with a per-process random token shared between the
PTY server and the API route via env var.
This commit is contained in:
Julia McGhee
2026-03-21 21:59:45 +00:00
parent 88496cb908
commit b981cc0926
3 changed files with 9 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
apps/harness/pty-server.js
View File

@@ -53,6 +53,7 @@ function attachPtyWebSocket(server) {
try {
const res = await fetch(
`http://127.0.0.1:${port}/api/agents/${encodeURIComponent(agentId)}/env`,
{ headers: { "x-internal-token": process.env.INTERNAL_API_TOKEN || "" } },
);
if (!res.ok) {
const body = await res.json().catch(() => ({}));

5
apps/harness/server.js
View File

@@ -2,11 +2,16 @@ const { createServer } = require("http");
const path = require("path");
const { parse } = require("url");
const crypto = require("crypto");
const dev = process.env.NODE_ENV !== "production";
// HOSTNAME in K8s is the pod name — always bind to 0.0.0.0
const hostname = "0.0.0.0";
const port = parseInt(process.env.PORT || "3100", 10);
// Shared secret for internal PTY→API calls (generated per process)
process.env.INTERNAL_API_TOKEN = crypto.randomBytes(32).toString("hex");
// In production, load the standalone config to avoid webpack dependency
if (!dev) {
try {

10
apps/harness/src/app/api/agents/[id]/env/route.ts vendored
View File

@@ -6,13 +6,9 @@ export async function GET(
_request: NextRequest,
{ params }: { params: Promise<{ id: string }> },
) {
// Only allow localhost access
const forwarded = _request.headers.get("x-forwarded-for");
const host = _request.headers.get("host") ?? "";
const isLocal =
!forwarded &&
(host.startsWith("localhost") || host.startsWith("127.0.0.1"));
if (!isLocal) {
// Only allow internal calls from the PTY server (same process)
const token = _request.headers.get("x-internal-token");
if (!token || token !== process.env.INTERNAL_API_TOKEN) {
return NextResponse.json({ error: "forbidden" }, { status: 403 });
}