mirror of
https://github.com/multica-ai/multica.git
synced 2026-06-17 03:38:32 +02:00
95bfd7dd96
* feat(auth): migrate auth token to HttpOnly cookie & implement WebSocket Origin whitelist Security improvements from the MUL-566 audit report: 1. Auth token is now set as an HttpOnly, SameSite=Lax cookie on login, preventing XSS-based token theft. Cookie-based auth includes CSRF protection via double-submit cookie pattern. The Authorization header path is preserved for Electron desktop app and CLI/PAT clients. 2. WebSocket upgrader now validates the Origin header against a configurable allowlist (ALLOWED_ORIGINS env var), rejecting connections from unauthorized origins. Backend: new auth cookie helpers, middleware reads cookie as fallback, WS handler accepts cookie auth, Origin whitelist, logout endpoint. Frontend: CSRF token in API headers, cookie-aware auth store and WS client, web app opts into cookieAuth mode while desktop keeps tokens. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(auth): address PR review — Strict cookies, HMAC-bound CSRF, origin sync 1. SameSite=Lax → SameSite=Strict per spec requirement 2. CSRF token now HMAC-signed with auth token (nonce.signature format), preventing subdomain cookie injection attacks 3. allowedWSOrigins uses atomic.Value to eliminate data race 4. Removed magic "cookie" sentinel string in WSProvider — pass null token and guard with boolean check instead 5. Removed dead delete uploadHeaders["Content-Type"] in API client Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
64 lines
1.9 KiB
Plaintext
64 lines
1.9 KiB
Plaintext
# Database
|
|
POSTGRES_DB=multica
|
|
POSTGRES_USER=multica
|
|
POSTGRES_PASSWORD=multica
|
|
POSTGRES_PORT=5432
|
|
DATABASE_URL=postgres://multica:multica@localhost:5432/multica?sslmode=disable
|
|
|
|
# Server
|
|
PORT=8080
|
|
JWT_SECRET=change-me-in-production
|
|
MULTICA_SERVER_URL=ws://localhost:8080/ws
|
|
MULTICA_APP_URL=http://localhost:3000
|
|
MULTICA_DAEMON_CONFIG=
|
|
MULTICA_WORKSPACE_ID=
|
|
MULTICA_DAEMON_ID=
|
|
MULTICA_DAEMON_DEVICE_NAME=
|
|
MULTICA_DAEMON_POLL_INTERVAL=3s
|
|
MULTICA_DAEMON_HEARTBEAT_INTERVAL=15s
|
|
MULTICA_CODEX_PATH=codex
|
|
MULTICA_CODEX_MODEL=
|
|
MULTICA_CODEX_WORKDIR=
|
|
MULTICA_CODEX_TIMEOUT=20m
|
|
|
|
# Email (Resend)
|
|
# For local/dev use, leave RESEND_API_KEY empty — codes print to stdout, and master code 888888 works.
|
|
# For production, set your Resend API key and change RESEND_FROM_EMAIL to a domain verified in your Resend account.
|
|
RESEND_API_KEY=
|
|
RESEND_FROM_EMAIL=noreply@multica.ai
|
|
|
|
# Google OAuth
|
|
GOOGLE_CLIENT_ID=
|
|
GOOGLE_CLIENT_SECRET=
|
|
GOOGLE_REDIRECT_URI=http://localhost:3000/auth/callback
|
|
NEXT_PUBLIC_GOOGLE_CLIENT_ID=
|
|
|
|
# S3 / CloudFront
|
|
S3_BUCKET=
|
|
S3_REGION=us-west-2
|
|
CLOUDFRONT_KEY_PAIR_ID=
|
|
CLOUDFRONT_PRIVATE_KEY_SECRET=multica/cloudfront-signing-key
|
|
CLOUDFRONT_PRIVATE_KEY=
|
|
CLOUDFRONT_DOMAIN=
|
|
COOKIE_DOMAIN=
|
|
|
|
# Local file storage (fallback when S3_BUCKET is not set)
|
|
LOCAL_UPLOAD_DIR=./data/uploads
|
|
LOCAL_UPLOAD_BASE_URL=http://localhost:8080
|
|
|
|
# Security
|
|
# Comma-separated list of allowed origins for CORS and WebSocket connections.
|
|
# Defaults to localhost dev origins when unset.
|
|
# Example: ALLOWED_ORIGINS=https://app.multica.ai,https://staging.multica.ai
|
|
ALLOWED_ORIGINS=
|
|
|
|
# Frontend
|
|
FRONTEND_PORT=3000
|
|
FRONTEND_ORIGIN=http://localhost:3000
|
|
NEXT_PUBLIC_API_URL=http://localhost:8080
|
|
NEXT_PUBLIC_WS_URL=ws://localhost:8080/ws
|
|
|
|
# Remote API (optional) — set to proxy local frontend to a remote backend
|
|
# Leave empty to use local backend (localhost:8080)
|
|
# REMOTE_API_URL=https://multica-api.copilothub.ai
|