Gate tester cockpits on the mycelium path the same as the public gateway login gate #271
Labels
No labels
meeting-notes
meeting-transcript
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
lhumina_code/home#271
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
The per-tester login gate is enforced only for the public domain. A request straight to a tester VM's mycelium address (or its backend port) reaches the cockpit fully unauthenticated. Verified live: http://[mycelium-ip]:9997/hero_cockpit/web/apps returns 200 with the full cockpit, while the same path with the public domain Host returns 302 to the forge login. So the gate is host based and is bypassed on the mycelium and backend path. The public internet path is correctly protected; the mycelium overlay path is not, so anyone on the mycelium network who knows a tester's address reaches the cockpit without logging in. The gate should apply regardless of how the request arrives: gate by default rather than by host match, or bind the cockpit to localhost so only the gated proxy can reach it. Severity depends on how trusted the mycelium overlay is, but the cockpit should never serve unauthenticated.