lazorgurl/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix harness forbidden error: use internal token instead of host check
All checks were successful
CI / lint-and-test (push) Successful in 32s
Details
Deploy Production / deploy (push) Successful in 1m20s
Details
CI / build (push) Successful in 1m55s
Details

Browse Source 
The localhost check using host header and x-forwarded-for was unreliable
in the standalone Next.js server which may inject forwarded headers
internally. Replace with a per-process random token shared between the
PTY server and the API route via env var.
This commit is contained in:
Julia McGhee
2026-03-21 21:59:45 +00:00
parent 88496cb908
commit b981cc0926
3 changed files with 9 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
apps/harness/server.js
View File

@@ -2,11 +2,16 @@ const { createServer } = require("http");
const path = require("path");
const { parse } = require("url");
const crypto = require("crypto");
const dev = process.env.NODE_ENV !== "production";
// HOSTNAME in K8s is the pod name — always bind to 0.0.0.0
const hostname = "0.0.0.0";
const port = parseInt(process.env.PORT || "3100", 10);
// Shared secret for internal PTY→API calls (generated per process)
process.env.INTERNAL_API_TOKEN = crypto.randomBytes(32).toString("hex");
// In production, load the standalone config to avoid webpack dependency
if (!dev) {
try {