replace TRUST_PROXY_HEADERS with ADMIN_API_KEY for admin auth#32
Draft
replace TRUST_PROXY_HEADERS with ADMIN_API_KEY for admin auth#32
Conversation
Without this patch, GraphiQL endpoints were configured with absolute URLs constructed from ExternalBaseURL. This caused GraphiQL to fail when the service was accessed through a different domain (e.g., via proxy, load balancer, or alternate hostname) because it would always try to connect to the configured base URL rather than the domain the user was actually using. This is a problem because it prevents GraphiQL from working in multi-domain deployments and makes local development harder when accessing the service through different hostnames. This patch solves the problem by changing GraphiQLConfig to accept relative paths (EndpointPath and SubscriptionPath) instead of absolute URLs. The GraphiQL HTML template now uses JavaScript to dynamically construct the full URLs from window.location at runtime, ensuring the page always connects to the correct domain. The WebSocket protocol is also derived dynamically (ws: for http:, wss: for https:). Changes: - Replace Endpoint/SubscriptionEndpoint with EndpointPath/SubscriptionPath - Use window.location.origin to build full GraphQL URL at runtime - Derive WebSocket protocol from page protocol dynamically - Update tests to verify path-based configuration Co-authored-by: Claude Code <claude-code@noreply.anthropic.com>
Remove the insecure TRUST_PROXY_HEADERS mechanism which allowed anyone to spoof admin identity via the X-User-DID header. Replace with ADMIN_API_KEY: a shared secret that must be sent as a Bearer token alongside X-User-DID. - Add ADMIN_API_KEY env var to config - Gate X-User-DID trust on constant-time API key validation - Add auth bar (API key + DID inputs) to admin GraphiQL page - Credentials persisted in localStorage for convenience - Update CORS to allow X-User-DID header when API key is configured
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
🚅 Environment hyperindex-pr-32 in hypercerts has no services deployed. 4 services not affected by this PR
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DO NOT MERGE UNTIL #31 is merged! This is stacked on top, so will need a rebase for clean history.
Remove the insecure TRUST_PROXY_HEADERS mechanism which allowed anyone to
spoof admin identity via the X-User-DID header. Replace with ADMIN_API_KEY:
a shared secret that must be sent as a Bearer token alongside X-User-DID.