diff options
| author | Peter Stone <thepeterstone@gmail.com> | 2026-01-28 22:19:28 -1000 |
|---|---|---|
| committer | Peter Stone <thepeterstone@gmail.com> | 2026-01-28 22:19:28 -1000 |
| commit | 05b1930e04ac222d73ffb2f45c1b1febb69f893d (patch) | |
| tree | bc451d72b5265ff044c4655ed90685c601688b6d /internal/auth/middleware.go | |
| parent | 058ff7d699f088edb851336928dd3eea2934cc07 (diff) | |
Add Agent Context API for external agent integration
Phase 1: Authentication and read-only context
- POST /agent/auth/request - request access with name + agent_id
- GET /agent/auth/poll - poll for approval status
- POST /agent/auth/approve|deny - user approval (browser auth required)
- GET /agent/context - 7-day timeline context (agent session required)
Phase 1.5: Browser-only agent endpoints (HTML pages)
- GET /agent/web/request - request page with token
- GET /agent/web/status - status page with polling
- GET /agent/web/context - context page with timeline data
WebSocket notifications:
- GET /ws/notifications - push agent requests to browsers
- Approval modal with trust indicators and countdown timer
Database:
- agents table for registered agent tracking
- agent_sessions table for pending/active sessions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Diffstat (limited to 'internal/auth/middleware.go')
| -rw-r--r-- | internal/auth/middleware.go | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/internal/auth/middleware.go b/internal/auth/middleware.go index ecdde82..78f3b53 100644 --- a/internal/auth/middleware.go +++ b/internal/auth/middleware.go @@ -6,6 +6,7 @@ import ( "crypto/subtle" "encoding/base64" "net/http" + "strings" "github.com/alexedwards/scs/v2" ) @@ -63,6 +64,12 @@ func (m *Middleware) ClearSession(r *http.Request) error { // CSRFProtect checks for a valid CSRF token on state-changing requests func (m *Middleware) CSRFProtect(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + // Skip CSRF for agent API endpoints (they use token-based auth, not cookies) + if strings.HasPrefix(r.URL.Path, "/agent/") { + next.ServeHTTP(w, r) + return + } + // Ensure a token exists in the session if !m.sessions.Exists(r.Context(), SessionKeyCSRF) { token, err := generateToken() @@ -78,7 +85,7 @@ func (m *Middleware) CSRFProtect(next http.Handler) http.Handler { // Check token for state-changing methods if r.Method == "POST" || r.Method == "PUT" || r.Method == "DELETE" || r.Method == "PATCH" { requestToken := r.Header.Get("X-CSRF-Token") - + if requestToken == "" { requestToken = r.FormValue("csrf_token") } |