aevgarik/paperclip
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: harden public routine trigger auth

Browse Source
This commit is contained in:
dotta
2026-03-20 13:23:31 -05:00
parent 13fd656e2b
commit a62c264ddf
2 changed files with 10 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
server/src/routes/routines.ts
View File

@@ -17,7 +17,7 @@ export function routineRoutes(db: Db) {
const router = Router();
const svc = routineService(db);
async function assertCanManageCompanyRoutine(req: Request, companyId: string, assigneeAgentId?: string | null) {
function assertCanManageCompanyRoutine(req: Request, companyId: string, assigneeAgentId?: string | null) {
assertCompanyAccess(req, companyId);
if (req.actor.type === "board") return;
if (req.actor.type !== "agent" || !req.actor.agentId) throw unauthorized();
@@ -47,7 +47,7 @@ export function routineRoutes(db: Db) {
router.post("/companies/:companyId/routines", validate(createRoutineSchema), async (req, res) => {
const companyId = req.params.companyId as string;
await assertCanManageCompanyRoutine(req, companyId, req.body.assigneeAgentId);
assertCanManageCompanyRoutine(req, companyId, req.body.assigneeAgentId);
const created = await svc.create(companyId, req.body, {
agentId: req.actor.type === "agent" ? req.actor.agentId : null,
userId: req.actor.type === "board" ? req.actor.userId ?? "board" : null,

9
server/src/services/routines.ts
View File

@@ -1016,7 +1016,14 @@ export function routineService(db: Db, deps: { heartbeat?: IssueAssignmentWakeup
const secretValue = await resolveTriggerSecret(trigger, routine.companyId);
if (trigger.signingMode === "bearer") {
const expected = `Bearer ${secretValue}`;
if (!input.authorizationHeader || input.authorizationHeader.trim() !== expected) {
const provided = input.authorizationHeader?.trim() ?? "";
const expectedBuf = Buffer.from(expected);
const providedBuf = Buffer.alloc(expectedBuf.length);
providedBuf.write(provided.slice(0, expectedBuf.length));
const valid =
provided.length === expected.length &&
crypto.timingSafeEqual(providedBuf, expectedBuf);
if (!valid) {
throw unauthorized();
}
} else {