summaryrefslogtreecommitdiff
path: root/cmd/dashboard
diff options
context:
space:
mode:
Diffstat (limited to 'cmd/dashboard')
-rw-r--r--cmd/dashboard/main.go8
1 files changed, 7 insertions, 1 deletions
diff --git a/cmd/dashboard/main.go b/cmd/dashboard/main.go
index 7e58125..fc26c06 100644
--- a/cmd/dashboard/main.go
+++ b/cmd/dashboard/main.go
@@ -169,7 +169,8 @@ func main() {
name string
upstream string
prefix string
- webhookPaths []string // POST paths that bypass session auth (e.g. HMAC-signed webhooks)
+ webhookPaths []string // POST-only paths that bypass session auth (e.g. HMAC-signed webhooks)
+ publicPaths []string // all-method paths that bypass session auth (protected by service-level bearer token)
}
mounts := []serviceMount{
{
@@ -177,6 +178,7 @@ func main() {
upstream: cfg.ClaudomatorURL,
prefix: "/claudomator",
webhookPaths: []string{"/claudomator/api/webhooks/github"},
+ publicPaths: []string{"/claudomator/chatbot/mcp"},
},
}
if cfg.PlaygroundURL != "" {
@@ -281,6 +283,10 @@ func main() {
for _, wp := range m.webhookPaths {
r.Post(wp, proxy.ServeHTTP)
}
+ // Public all-method paths bypass session auth (rely on service-level bearer token)
+ for _, pp := range m.publicPaths {
+ r.Handle(pp, http.HandlerFunc(proxy.ServeHTTP))
+ }
// All other routes require auth + origin check (CSRF protection for proxy)
r.Group(func(r chi.Router) {