aevgarik/paperclip
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add board mutation guard middleware

Browse Source 
Require trusted browser origin (Origin or Referer header) for
mutating requests from board actors, preventing cross-origin
mutation attempts against the local-trusted API.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Forgotten
2026-02-20 15:48:30 -06:00
parent 49e15f056d
commit 82da8739c1
3 changed files with 123 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
server/src/__tests__/board-mutation-guard.test.ts Normal file
View File

@@ -0,0 +1,60 @@
import { describe, expect, it } from "vitest";
import express from "express";
import request from "supertest";
import { boardMutationGuard } from "../middleware/board-mutation-guard.js";
function createApp(actorType: "board" | "agent") {
const app = express();
app.use(express.json());
app.use((req, _res, next) => {
req.actor = actorType === "board" ? { type: "board", userId: "board" } : { type: "agent", agentId: "agent-1" };
next();
});
app.use(boardMutationGuard());
app.post("/mutate", (_req, res) => {
res.status(204).end();
});
app.get("/read", (_req, res) => {
res.status(204).end();
});
return app;
}
describe("boardMutationGuard", () => {
it("allows safe methods for board actor", async () => {
const app = createApp("board");
const res = await request(app).get("/read");
expect(res.status).toBe(204);
});
it("blocks board mutations without trusted origin", async () => {
const app = createApp("board");
const res = await request(app).post("/mutate").send({ ok: true });
expect(res.status).toBe(403);
expect(res.body).toEqual({ error: "Board mutation requires trusted browser origin" });
});
it("allows board mutations from trusted origin", async () => {
const app = createApp("board");
const res = await request(app)
.post("/mutate")
.set("Origin", "http://localhost:5173")
.send({ ok: true });
expect(res.status).toBe(204);
});
it("allows board mutations from trusted referer origin", async () => {
const app = createApp("board");
const res = await request(app)
.post("/mutate")
.set("Referer", "http://localhost:5173/issues/abc")
.send({ ok: true });
expect(res.status).toBe(204);
});
it("does not block authenticated agent mutations", async () => {
const app = createApp("agent");
const res = await request(app).post("/mutate").send({ ok: true });
expect(res.status).toBe(204);
});
});