fix web test

Author: root

backend/domain/routes/deploy.go

@@ -29,13 +29,17 @@ func registerOperationRoutes(g *router.RouterGroup[*core.RequestEvent]) {
 	o.DELETE("/{id}", handleOperationDelete)
 	o.POST("/{id}/cancel", handleOperationCancel)
 	o.GET("/{id}/logs", handleOperationLogs)
-	o.GET("/{id}/stream", handleOperationLogStream)
 	o.POST("/install/name-availability", handleOperationInstallNameAvailability)
 	o.POST("/install/git-compose", handleOperationInstallGitCompose)
 	o.POST("/install/manual-compose", handleOperationInstallManualCompose)
 	o.POST("/install/git-compose/check", handleOperationInstallGitComposeCheck)
 	o.POST("/install/manual-compose/check", handleOperationInstallManualComposeCheck)
 
+	stream := g.Group("/actions")
+	stream.Bind(wsTokenAuth())
+	stream.Bind(apis.RequireSuperuserAuth())
+	stream.GET("/{id}/stream", handleOperationLogStream)
+
 	p := g.Group("/pipelines")
 	p.Bind(apis.RequireSuperuserAuth())
 	p.GET("", handlePipelineList)

backend/domain/routes/deploy_test.go

@@ -49,6 +49,57 @@ func (te *testEnv) doOperations(t *testing.T, method, url, body string, authenti
 	return rec
 }
 
+func (te *testEnv) doRegisteredRoute(t *testing.T, method, url, body string, headers map[string]string) *httptest.ResponseRecorder {
+	t.Helper()
+
+	r, err := apis.NewRouter(te.app)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	Register(&core.ServeEvent{App: te.app, Router: r})
+
+	mux, err := r.BuildMux()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var bodyReader io.Reader
+	if body != "" {
+		bodyReader = strings.NewReader(body)
+	}
+
+	req := httptest.NewRequest(method, url, bodyReader)
+	req.Header.Set("Content-Type", "application/json")
+	for key, value := range headers {
+		req.Header.Set(key, value)
+	}
+
+	rec := httptest.NewRecorder()
+	mux.ServeHTTP(rec, req)
+	return rec
+}
+
+func TestRegisterRejectsQueryTokenForPlainHTTPAPI(t *testing.T) {
+	te := newTestEnv(t)
+	defer te.cleanup()
+
+	rec := te.doRegisteredRoute(t, http.MethodGet, "/api/catalog/categories?token="+te.token, "", nil)
+	if rec.Code != http.StatusUnauthorized {
+		t.Fatalf("expected 401 for plain HTTP query-token auth, got %d: %s", rec.Code, rec.Body.String())
+	}
+}
+
+func TestOperationLogStreamAllowsQueryTokenAuth(t *testing.T) {
+	te := newTestEnv(t)
+	defer te.cleanup()
+
+	rec := te.doOperations(t, http.MethodGet, "/api/actions/missing-id/stream?token="+te.token, "", false)
+	if rec.Code != http.StatusNotFound {
+		t.Fatalf("expected 404 after query-token auth reached stream handler, got %d: %s", rec.Code, rec.Body.String())
+	}
+}
+
 func TestOperationManualComposeCreateListDetail(t *testing.T) {
 	te := newTestEnv(t)
 	defer te.cleanup()

backend/domain/routes/docker.go

@@ -7,6 +7,7 @@ import (
 	"strconv"
 	"sync"
 
+	"github.com/pocketbase/pocketbase/apis"
 	"github.com/pocketbase/pocketbase/core"
 	"github.com/pocketbase/pocketbase/tools/router"
 	"github.com/websoft9/appos/backend/domain/audit"
@@ -38,6 +39,7 @@ func init() {
 //	/api/ext/docker/volumes/*     — volume management
 func registerDockerRoutes(g *router.RouterGroup[*core.RequestEvent]) {
 	d := g.Group("/docker")
+	d.Bind(apis.RequireSuperuserAuth())
 
 	// ─── Servers list ───────────────────────────────────
 	d.GET("/servers", handleDockerServers)

backend/domain/routes/docker_test.go

@@ -1,8 +1,13 @@
 package routes
 
 import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
 	"testing"
 
+	"github.com/pocketbase/pocketbase/apis"
+	"github.com/pocketbase/pocketbase/core"
 	servers "github.com/websoft9/appos/backend/domain/resource/servers"
 )
 
@@ -57,3 +62,69 @@ func TestTunnelSSHPortFromServices(t *testing.T) {
 		})
 	}
 }
+
+func doDocker(t *testing.T, te *testEnv, method, url, body, token string) *httptest.ResponseRecorder {
+	t.Helper()
+
+	r, err := apis.NewRouter(te.app)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	g := r.Group("/api/ext")
+	g.Bind(apis.RequireAuth())
+	registerDockerRoutes(g)
+
+	mux, err := r.BuildMux()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req := httptest.NewRequest(method, url, strings.NewReader(body))
+	req.Header.Set("Content-Type", "application/json")
+	if token != "" {
+		req.Header.Set("Authorization", token)
+	}
+
+	rec := httptest.NewRecorder()
+	mux.ServeHTTP(rec, req)
+	return rec
+}
+
+func createRegularUserToken(t *testing.T, te *testEnv) string {
+	t.Helper()
+
+	usersCol, err := te.app.FindCollectionByNameOrId("users")
+	if err != nil {
+		t.Fatal(err)
+	}
+	user := core.NewRecord(usersCol)
+	user.Set("email", "user@test.com")
+	user.SetPassword("1234567890")
+	if err := te.app.Save(user); err != nil {
+		t.Fatal(err)
+	}
+
+	token, err := user.NewStaticAuthToken(0)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return token
+}
+
+func TestDockerRoutesRequireSuperuser(t *testing.T) {
+	te := newTestEnv(t)
+	defer te.cleanup()
+
+	userToken := createRegularUserToken(t, te)
+
+	rec := doDocker(t, te, http.MethodGet, "/api/ext/docker/servers", "", userToken)
+	if rec.Code != http.StatusForbidden {
+		t.Fatalf("expected 403 for non-superuser, got %d: %s", rec.Code, rec.Body.String())
+	}
+
+	rec = doDocker(t, te, http.MethodGet, "/api/ext/docker/servers", "", te.token)
+	if rec.Code != http.StatusOK {
+		t.Fatalf("expected 200 for superuser, got %d: %s", rec.Code, rec.Body.String())
+	}
+}

backend/domain/routes/routes.go

@@ -71,7 +71,6 @@ func Register(se *core.ServeEvent) {
 	components.Bind(apis.RequireAuth())
 
 	deployments := se.Router.Group("/api")
-	deployments.Bind(wsTokenAuth())
 	deployments.Bind(apis.RequireAuth())
 
 	// Server catalog routes (ops, ports, systemd) — no terminal sessions

backend/domain/routes/server.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"net/url"
 	"strings"
 
 	"github.com/gorilla/websocket"
@@ -16,8 +17,7 @@ import (
 )
 
 var wsUpgrader = websocket.Upgrader{
-	// TODO: validate Origin header for production CSRF protection.
-	CheckOrigin: func(r *http.Request) bool { return true },
+	CheckOrigin: allowWebSocketOrigin,
 }
 
 var dockerBridgeIPv4Lookup = netutil.LookupInterfaceIPv4
@@ -69,6 +69,83 @@ func wsTokenAuth() *hook.Handler[*core.RequestEvent] {
 	}
 }
 
+func allowWebSocketOrigin(r *http.Request) bool {
+	origin := strings.TrimSpace(r.Header.Get("Origin"))
+	if origin == "" {
+		return true
+	}
+	parsed, err := url.Parse(origin)
+	if err != nil || parsed.Scheme == "" || parsed.Host == "" {
+		return false
+	}
+	requestScheme := resolveWebSocketHTTPScheme(r)
+	if !strings.EqualFold(parsed.Scheme, requestScheme) {
+		return false
+	}
+	return sameWebSocketOriginHost(parsed.Host, resolveWebSocketHTTPHost(r), requestScheme)
+}
+
+func resolveWebSocketHTTPScheme(r *http.Request) string {
+	if strings.EqualFold(strings.TrimSpace(r.Header.Get("X-Forwarded-Proto")), "https") || r.TLS != nil {
+		return "https"
+	}
+	return "http"
+}
+
+func resolveWebSocketHTTPHost(r *http.Request) string {
+	host := firstForwardedHostValue(r.Host)
+	forwardedHost := firstForwardedHostValue(r.Header.Get("X-Forwarded-Host"))
+	if host == "" {
+		host = forwardedHost
+	}
+	if forwardedHost != "" && forwardedHostCarriesPort(host, forwardedHost) {
+		host = forwardedHost
+	}
+	if !hostHasExplicitPort(host) {
+		if forwardedPort := firstForwardedPortValue(r.Header.Get("X-Forwarded-Port")); forwardedPort != "" {
+			host = appendPortIfMissing(host, forwardedPort)
+		}
+	}
+	return host
+}
+
+func sameWebSocketOriginHost(originHost string, requestHost string, scheme string) bool {
+	if !strings.EqualFold(stripOptionalPort(originHost), stripOptionalPort(requestHost)) {
+		return false
+	}
+	return effectivePort(originHost, scheme) == effectivePort(requestHost, scheme)
+}
+
+func effectivePort(host string, scheme string) string {
+	if host == "" {
+		return defaultPortForScheme(scheme)
+	}
+	if strings.HasPrefix(host, "[") {
+		if idx := strings.LastIndex(host, "]:"); idx >= 0 {
+			return host[idx+2:]
+		}
+		return defaultPortForScheme(scheme)
+	}
+	idx := strings.LastIndex(host, ":")
+	if idx <= 0 || strings.Contains(host[:idx], ":") {
+		return defaultPortForScheme(scheme)
+	}
+	port := host[idx+1:]
+	for _, ch := range port {
+		if ch < '0' || ch > '9' {
+			return defaultPortForScheme(scheme)
+		}
+	}
+	return port
+}
+
+func defaultPortForScheme(scheme string) string {
+	if strings.EqualFold(strings.TrimSpace(scheme), "https") {
+		return "443"
+	}
+	return "80"
+}
+
 // registerServerRoutes registers server catalog/ops routes (non-terminal).
 // These handle connectivity checks, power, ports, and systemd operations.
 func registerServerRoutes(g *router.RouterGroup[*core.RequestEvent]) {

backend/domain/routes/server_test.go

@@ -52,6 +52,40 @@ func TestLocalDockerBridgeRequiresAuth(t *testing.T) {
 	}
 }
 
+func TestAllowWebSocketOriginAllowsEmptyOrigin(t *testing.T) {
+	req := httptest.NewRequest(http.MethodGet, "https://console.example.com/api/actions/demo/stream", nil)
+	if !allowWebSocketOrigin(req) {
+		t.Fatal("expected empty origin to be allowed")
+	}
+}
+
+func TestAllowWebSocketOriginAllowsSameOrigin(t *testing.T) {
+	req := httptest.NewRequest(http.MethodGet, "https://console.example.com/api/actions/demo/stream", nil)
+	req.Header.Set("Origin", "https://console.example.com")
+	if !allowWebSocketOrigin(req) {
+		t.Fatal("expected same origin to be allowed")
+	}
+}
+
+func TestAllowWebSocketOriginRejectsCrossOrigin(t *testing.T) {
+	req := httptest.NewRequest(http.MethodGet, "https://console.example.com/api/actions/demo/stream", nil)
+	req.Header.Set("Origin", "https://evil.example.com")
+	if allowWebSocketOrigin(req) {
+		t.Fatal("expected cross origin to be rejected")
+	}
+}
+
+func TestAllowWebSocketOriginUsesForwardedProxyHostAndProto(t *testing.T) {
+	req := httptest.NewRequest(http.MethodGet, "http://internal.example.local/api/actions/demo/stream", nil)
+	req.Host = "console.example.com"
+	req.Header.Set("X-Forwarded-Host", "console.example.com:9443")
+	req.Header.Set("X-Forwarded-Proto", "https")
+	req.Header.Set("Origin", "https://console.example.com:9443")
+	if !allowWebSocketOrigin(req) {
+		t.Fatal("expected forwarded proxy origin to be allowed")
+	}
+}
+
 func TestLocalDockerBridgeReturnsAddress(t *testing.T) {
 	te := newTestEnv(t)
 	defer te.cleanup()