hanh.tonguyen/paperclip
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add board mutation guard middleware

Browse Source 
Require trusted browser origin (Origin or Referer header) for
mutating requests from board actors, preventing cross-origin
mutation attempts against the local-trusted API.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Forgotten
2026-02-20 15:48:30 -06:00
parent 49e15f056d
commit 82da8739c1
3 changed files with 123 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
server/src/__tests__/board-mutation-guard.test.ts Normal file
View File

@@ -0,0 +1,60 @@
import { describe, expect, it } from "vitest";
import express from "express";
import request from "supertest";
import { boardMutationGuard } from "../middleware/board-mutation-guard.js";
function createApp(actorType: "board" | "agent") {
const app = express();
app.use(express.json());
app.use((req, _res, next) => {
req.actor = actorType === "board" ? { type: "board", userId: "board" } : { type: "agent", agentId: "agent-1" };
next();
});
app.use(boardMutationGuard());
app.post("/mutate", (_req, res) => {
res.status(204).end();
});
app.get("/read", (_req, res) => {
res.status(204).end();
});
return app;
}
describe("boardMutationGuard", () => {
it("allows safe methods for board actor", async () => {
const app = createApp("board");
const res = await request(app).get("/read");
expect(res.status).toBe(204);
});
it("blocks board mutations without trusted origin", async () => {
const app = createApp("board");
const res = await request(app).post("/mutate").send({ ok: true });
expect(res.status).toBe(403);
expect(res.body).toEqual({ error: "Board mutation requires trusted browser origin" });
});
it("allows board mutations from trusted origin", async () => {
const app = createApp("board");
const res = await request(app)
.post("/mutate")
.set("Origin", "http://localhost:5173")
.send({ ok: true });
expect(res.status).toBe(204);
});
it("allows board mutations from trusted referer origin", async () => {
const app = createApp("board");
const res = await request(app)
.post("/mutate")
.set("Referer", "http://localhost:5173/issues/abc")
.send({ ok: true });
expect(res.status).toBe(204);
});
it("does not block authenticated agent mutations", async () => {
const app = createApp("agent");
const res = await request(app).post("/mutate").send({ ok: true });
expect(res.status).toBe(204);
});
});

2
server/src/app.ts
View File

@@ -6,6 +6,7 @@ import type { Db } from "@paperclip/db";
import type { StorageService } from "./storage/types.js"; import type { StorageService } from "./storage/types.js";
import { httpLogger, errorHandler } from "./middleware/index.js"; import { httpLogger, errorHandler } from "./middleware/index.js";
import { actorMiddleware } from "./middleware/auth.js"; import { actorMiddleware } from "./middleware/auth.js";
import { boardMutationGuard } from "./middleware/board-mutation-guard.js";
import { healthRoutes } from "./routes/health.js"; import { healthRoutes } from "./routes/health.js";
import { companyRoutes } from "./routes/companies.js"; import { companyRoutes } from "./routes/companies.js";
import { agentRoutes } from "./routes/agents.js"; import { agentRoutes } from "./routes/agents.js";
@@ -33,6 +34,7 @@ export async function createApp(db: Db, opts: { uiMode: UiMode; storageService:
// Mount API routes // Mount API routes
const api = Router(); const api = Router();
api.use(boardMutationGuard());
api.use("/health", healthRoutes()); api.use("/health", healthRoutes());
api.use("/companies", companyRoutes(db)); api.use("/companies", companyRoutes(db));
api.use(agentRoutes(db)); api.use(agentRoutes(db));

61
server/src/middleware/board-mutation-guard.ts Normal file
View File

@@ -0,0 +1,61 @@
import type { Request, RequestHandler } from "express";
const SAFE_METHODS = new Set(["GET", "HEAD", "OPTIONS"]);
const DEFAULT_DEV_ORIGINS = [
"http://localhost:5173",
"http://127.0.0.1:5173",
"http://localhost:3100",
"http://127.0.0.1:3100",
];
function parseOrigin(value: string | undefined) {
if (!value) return null;
try {
const url = new URL(value);
return `${url.protocol}//${url.host}`.toLowerCase();
} catch {
return null;
}
}
function trustedOriginsForRequest(req: Request) {
const origins = new Set(DEFAULT_DEV_ORIGINS.map((value) => value.toLowerCase()));
const host = req.header("host")?.trim();
if (host) {
origins.add(`http://${host}`.toLowerCase());
origins.add(`https://${host}`.toLowerCase());
}
return origins;
}
function isTrustedBoardMutationRequest(req: Request) {
const allowedOrigins = trustedOriginsForRequest(req);
const origin = parseOrigin(req.header("origin"));
if (origin && allowedOrigins.has(origin)) return true;
const refererOrigin = parseOrigin(req.header("referer"));
if (refererOrigin && allowedOrigins.has(refererOrigin)) return true;
return false;
}
export function boardMutationGuard(): RequestHandler {
return (req, res, next) => {
if (SAFE_METHODS.has(req.method.toUpperCase())) {
next();
return;
}
if (req.actor.type !== "board") {
next();
return;
}
if (!isTrustedBoardMutationRequest(req)) {
res.status(403).json({ error: "Board mutation requires trusted browser origin" });
return;
}
next();
};
}