diff options
| -rw-r--r-- | cmd/dashboard/main.go | 8 | ||||
| -rw-r--r-- | internal/handlers/proxy.go | 1 |
2 files changed, 8 insertions, 1 deletions
diff --git a/cmd/dashboard/main.go b/cmd/dashboard/main.go index 7e58125..fc26c06 100644 --- a/cmd/dashboard/main.go +++ b/cmd/dashboard/main.go @@ -169,7 +169,8 @@ func main() { name string upstream string prefix string - webhookPaths []string // POST paths that bypass session auth (e.g. HMAC-signed webhooks) + webhookPaths []string // POST-only paths that bypass session auth (e.g. HMAC-signed webhooks) + publicPaths []string // all-method paths that bypass session auth (protected by service-level bearer token) } mounts := []serviceMount{ { @@ -177,6 +178,7 @@ func main() { upstream: cfg.ClaudomatorURL, prefix: "/claudomator", webhookPaths: []string{"/claudomator/api/webhooks/github"}, + publicPaths: []string{"/claudomator/chatbot/mcp"}, }, } if cfg.PlaygroundURL != "" { @@ -281,6 +283,10 @@ func main() { for _, wp := range m.webhookPaths { r.Post(wp, proxy.ServeHTTP) } + // Public all-method paths bypass session auth (rely on service-level bearer token) + for _, pp := range m.publicPaths { + r.Handle(pp, http.HandlerFunc(proxy.ServeHTTP)) + } // All other routes require auth + origin check (CSRF protection for proxy) r.Group(func(r chi.Router) { diff --git a/internal/handlers/proxy.go b/internal/handlers/proxy.go index ce10a6a..ce328ef 100644 --- a/internal/handlers/proxy.go +++ b/internal/handlers/proxy.go @@ -31,6 +31,7 @@ func NewServiceProxy(targetURL, allowedOrigin, pathPrefix string) http.Handler { Director: func(req *http.Request) { req.URL.Scheme = target.Scheme req.URL.Host = target.Host + req.Host = target.Host // use upstream host so loopback services see a loopback Host header req.URL.Path = stripPrefix(req.URL.Path) if req.URL.RawPath != "" { req.URL.RawPath = stripPrefix(req.URL.RawPath) |
