fix(auth): trust internal Docker/loopback connections in AuthMiddleware
Same pattern we already use for /ws/live (host-side Discord bot bypass). Lets the new overlord-agent service call any tracker HTTP endpoint without forging a session cookie. Safe because port 8765 is bound to 127.0.0.1 in docker-compose.yml — only the host or other compose-network containers can reach it.
This commit is contained in:
Erik
parent
a3353e572d
commit
0745aefdb9
1 changed files with 9 additions and 0 deletions
9
main.py
9
main.py
|
|
@ -1046,6 +1046,15 @@ class AuthMiddleware(BaseHTTPMiddleware):
|
|||
if path.startswith("/ws/live"):
|
||||
return await call_next(request)
|
||||
|
||||
# Trust internal connections (Docker network gateway + loopback). The
|
||||
# tracker port (8765) is bound to 127.0.0.1 in docker-compose.yml and
|
||||
# only the host or other compose-network containers can reach it.
|
||||
# This lets host-side helpers (overlord-agent, discord-rare-monitor,
|
||||
# etc.) call any endpoint without forging a session cookie.
|
||||
client_host = request.client.host if request.client else ""
|
||||
if client_host.startswith("172.") or client_host in ("127.0.0.1", "::1", "localhost"):
|
||||
return await call_next(request)
|
||||
|
||||
# Check session cookie
|
||||
token = request.cookies.get("session")
|
||||
if token:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue