lazorgurl/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix harness forbidden error: use internal token instead of host check
All checks were successful
CI / lint-and-test (push) Successful in 32s
Details
Deploy Production / deploy (push) Successful in 1m20s
Details
CI / build (push) Successful in 1m55s
Details

Browse Source 
The localhost check using host header and x-forwarded-for was unreliable
in the standalone Next.js server which may inject forwarded headers
internally. Replace with a per-process random token shared between the
PTY server and the API route via env var.
This commit is contained in:
Julia McGhee
2026-03-21 21:59:45 +00:00
parent 88496cb908
commit b981cc0926
3 changed files with 9 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
apps/harness/src/app/api/agents/[id]/env/route.ts vendored
View File

@@ -6,13 +6,9 @@ export async function GET(
_request: NextRequest,
{ params }: { params: Promise<{ id: string }> },
) {
// Only allow localhost access
const forwarded = _request.headers.get("x-forwarded-for");
const host = _request.headers.get("host") ?? "";
const isLocal =
!forwarded &&
(host.startsWith("localhost") || host.startsWith("127.0.0.1"));
if (!isLocal) {
// Only allow internal calls from the PTY server (same process)
const token = _request.headers.get("x-internal-token");
if (!token || token !== process.env.INTERNAL_API_TOKEN) {
return NextResponse.json({ error: "forbidden" }, { status: 403 });
}