From 081d06794a90ce45406ac1f12db9f843d8077327 Mon Sep 17 00:00:00 2001 From: Peter Stone Date: Sun, 5 Jul 2026 04:44:54 +0000 Subject: feat(gateway): add publicPaths bypass for all-method service routes Adds a publicPaths field to serviceMount alongside webhookPaths. webhookPaths remains POST-only (HMAC-signed webhooks). publicPaths bypasses session auth for all methods, relying on the upstream service's own bearer-token auth instead. Used to expose /claudomator/chatbot/mcp for MCP client connections (claude-code) which carry their own Authorization header and cannot carry a doot session cookie. --- cmd/dashboard/main.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'cmd/dashboard/main.go') diff --git a/cmd/dashboard/main.go b/cmd/dashboard/main.go index 7e58125..fc26c06 100644 --- a/cmd/dashboard/main.go +++ b/cmd/dashboard/main.go @@ -169,7 +169,8 @@ func main() { name string upstream string prefix string - webhookPaths []string // POST paths that bypass session auth (e.g. HMAC-signed webhooks) + webhookPaths []string // POST-only paths that bypass session auth (e.g. HMAC-signed webhooks) + publicPaths []string // all-method paths that bypass session auth (protected by service-level bearer token) } mounts := []serviceMount{ { @@ -177,6 +178,7 @@ func main() { upstream: cfg.ClaudomatorURL, prefix: "/claudomator", webhookPaths: []string{"/claudomator/api/webhooks/github"}, + publicPaths: []string{"/claudomator/chatbot/mcp"}, }, } if cfg.PlaygroundURL != "" { @@ -281,6 +283,10 @@ func main() { for _, wp := range m.webhookPaths { r.Post(wp, proxy.ServeHTTP) } + // Public all-method paths bypass session auth (rely on service-level bearer token) + for _, pp := range m.publicPaths { + r.Handle(pp, http.HandlerFunc(proxy.ServeHTTP)) + } // All other routes require auth + origin check (CSRF protection for proxy) r.Group(func(r chi.Router) { -- cgit v1.2.3