Skip to content

[CherryPick 2.0] Restrict POST /configuration endpoint to loopback#3671

Merged
souvikghosh04 merged 1 commit into
release/2.0from
Usr/sogh/cherry-pick-3669-release-2.0
Jun 22, 2026
Merged

[CherryPick 2.0] Restrict POST /configuration endpoint to loopback#3671
souvikghosh04 merged 1 commit into
release/2.0from
Usr/sogh/cherry-pick-3669-release-2.0

Conversation

@souvikghosh04

Copy link
Copy Markdown
Contributor

Cherry-pick of #3669 (commit 7a0d7e3) onto release/2.0.

Summary

Restricts the late-configured POST /configuration endpoint to loopback callers, with an optional bootstrap token via DAB_CONFIG_AUTH_TOKEN / X-DAB-CONFIG-AUTH (fixed-time comparison). Addresses CWE-306 on the hosted-mode bootstrap channel.

Change

  • src/Service/Startup.cs: added IsConfigurationRequestAuthorized(HttpContext) and wired it into the existing POST /configuration gating middleware (returns 403 when unauthorized). Null RemoteIpAddress (in-process callers like TestServer) treated as loopback. IPv4-mapped IPv6 normalized via MapToIPv4() before IPAddress.IsLoopback.
  • src/Service.Tests/Configuration/ConfigurationEndpointAuthorizationTests.cs: 26 tests (18 unit matrix + 8 end-to-end TestServer rows).

Backward compatibility

  • Azure Static Web Apps platform config injector (loopback inside the container) keeps working unchanged.
  • In-process TestServer callers keep working unchanged.
  • Bootstrap token is opt-in -- behavior on loopback matches today's when DAB_CONFIG_AUTH_TOKEN is unset.

Validation

  • Clean cherry-pick (no conflicts; src/Service/Startup.cs auto-merged).
  • dotnet build clean (0 warnings, 0 errors).
  • All 26 ConfigurationEndpointAuthorizationTests pass locally on the cherry-pick branch.

## Summary

Restrict the late-configured `POST /configuration` endpoint so it is
only callable from the loopback interface, with an optional
bootstrap-token check on top.

## Why

`POST /configuration` is used in hosted mode (e.g. Azure Static Web
Apps) to deliver the runtime config — including the database connection
string — to an uninitialized DAB instance. It currently runs before the
authentication middleware and has no other access control, which is more
permissive than required for what is effectively a host-to-runtime
bootstrap channel.

## Change

In `src/Service/Startup.cs`, the existing middleware that gates `POST
/configuration` now also checks
`IsConfigurationRequestAuthorized(HttpContext)` and returns `403
Forbidden` if it fails. The check enforces:

1. The request must originate from a loopback address. Null
`RemoteIpAddress` (in-process callers such as `TestServer`) is treated
as loopback.
2. If the `DAB_CONFIG_AUTH_TOKEN` environment variable is set, the
request must include a matching `X-DAB-CONFIG-AUTH` header (fixed-time
comparison).

The rest of the middleware ordering is unchanged.

## Backward compatibility

- Azure Static Web Apps platform config injector (posts over loopback
inside the container) keeps working unchanged.
- Existing in-process `TestServer` tests keep working unchanged.
- The bootstrap token is opt-in — when the env var is unset, behavior on
loopback matches today's behavior.

## Tests

- [x] Unit Tests

(cherry picked from commit 7a0d7e3)
Copilot AI review requested due to automatic review settings June 18, 2026 04:46
@souvikghosh04 souvikghosh04 changed the title [release/2.0] Restrict POST /configuration endpoint to loopback (#3669) [CherryPick 2.0] Restrict POST /configuration endpoint to loopback Jun 18, 2026
@souvikghosh04 souvikghosh04 self-assigned this Jun 18, 2026
@souvikghosh04 souvikghosh04 moved this from Todo to Review In Progress in Data API builder Jun 18, 2026
@souvikghosh04 souvikghosh04 added this to the June 2026 milestone Jun 18, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This cherry-pick tightens security around the late-configured bootstrap channel by restricting POST /configuration (and /configuration/v2) to loopback callers, with an optional bootstrap token check (DAB_CONFIG_AUTH_TOKEN via X-DAB-CONFIG-AUTH) using fixed-time comparison.

Changes:

  • Added Startup.IsConfigurationRequestAuthorized(HttpContext) to enforce loopback-only access and (optionally) a bootstrap token.
  • Wired the authorization check into the existing pre-auth middleware gate for POST /configuration*, returning 403 Forbidden when unauthorized.
  • Added a new test suite covering the authorization matrix and end-to-end middleware behavior via TestServer.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/Service/Startup.cs Adds loopback + optional token authorization for late-config POST /configuration* requests and enforces it in the gating middleware.
src/Service.Tests/Configuration/ConfigurationEndpointAuthorizationTests.cs Adds unit/e2e tests validating the new authorization behavior across IP/token combinations.

Comment thread src/Service/Startup.cs
@souvikghosh04 souvikghosh04 merged commit 109ee47 into release/2.0 Jun 22, 2026
15 checks passed
@souvikghosh04 souvikghosh04 deleted the Usr/sogh/cherry-pick-3669-release-2.0 branch June 22, 2026 17:27
@github-project-automation github-project-automation Bot moved this from Review In Progress to Done in Data API builder Jun 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

4 participants