diff options
| author | Peter Stone <thepeterstone@gmail.com> | 2026-07-05 04:44:54 +0000 |
|---|---|---|
| committer | Peter Stone <thepeterstone@gmail.com> | 2026-07-05 04:44:54 +0000 |
| commit | 081d06794a90ce45406ac1f12db9f843d8077327 (patch) | |
| tree | 7632a2d0cd1aceecf7263720609c44c9e898e540 /cmd | |
| parent | 8c55b9b10fecd45ac5acf3f13fc23d342a4aa53b (diff) | |
feat(gateway): add publicPaths bypass for all-method service routes
Adds a publicPaths field to serviceMount alongside webhookPaths.
webhookPaths remains POST-only (HMAC-signed webhooks). publicPaths
bypasses session auth for all methods, relying on the upstream
service's own bearer-token auth instead.
Used to expose /claudomator/chatbot/mcp for MCP client connections
(claude-code) which carry their own Authorization header and cannot
carry a doot session cookie.
Diffstat (limited to 'cmd')
| -rw-r--r-- | cmd/dashboard/main.go | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/cmd/dashboard/main.go b/cmd/dashboard/main.go index 7e58125..fc26c06 100644 --- a/cmd/dashboard/main.go +++ b/cmd/dashboard/main.go @@ -169,7 +169,8 @@ func main() { name string upstream string prefix string - webhookPaths []string // POST paths that bypass session auth (e.g. HMAC-signed webhooks) + webhookPaths []string // POST-only paths that bypass session auth (e.g. HMAC-signed webhooks) + publicPaths []string // all-method paths that bypass session auth (protected by service-level bearer token) } mounts := []serviceMount{ { @@ -177,6 +178,7 @@ func main() { upstream: cfg.ClaudomatorURL, prefix: "/claudomator", webhookPaths: []string{"/claudomator/api/webhooks/github"}, + publicPaths: []string{"/claudomator/chatbot/mcp"}, }, } if cfg.PlaygroundURL != "" { @@ -281,6 +283,10 @@ func main() { for _, wp := range m.webhookPaths { r.Post(wp, proxy.ServeHTTP) } + // Public all-method paths bypass session auth (rely on service-level bearer token) + for _, pp := range m.publicPaths { + r.Handle(pp, http.HandlerFunc(proxy.ServeHTTP)) + } // All other routes require auth + origin check (CSRF protection for proxy) r.Group(func(r chi.Router) { |
