iarv/meshstream
1
0
Fork 1
mirror of https://github.com/dpup/meshstream.git synced 2026-03-28 17:42:37 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
9e5fd5bcaecdfd34df00e54d6e6a185b96cd9fd1
meshstream/todos/007-pending-p2-wildcard-cors-no-auth.md
Daniel Pupius 9e5fd5bcae Add code review findings as todos 
Security and architecture review of current codebase. 11 findings:
- 3 P1 (XSS, hardcoded creds, unbounded memory growth)
- 4 P2 (SSE protocol, broker deadlock, NetworkMap architecture, CORS)
- 4 P3 (security headers, error leakage, dead code, binary payload)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-15 15:41:24 +00:00

57 lines
1.9 KiB
Markdown
Raw Blame History

---
status: pending
priority: p2
issue_id: "007"
tags: [code-review, security, cors, auth, backend]
dependencies: []
---
# Wildcard CORS + No Authentication on SSE Endpoint
## Problem Statement
`/api/stream` sets `Access-Control-Allow-Origin: *`, meaning any JavaScript on any origin can subscribe to the full decoded packet feed. There is no authentication at any layer. The `/api/status` endpoint also exposes the MQTT server hostname and subscribed topic to any caller.
## Findings
- **File:** `server/server.go`, line ~182
- `w.Header().Set("Access-Control-Allow-Origin", "*")` on the SSE endpoint
- No API key, session token, or any auth mechanism
- `/api/status` returns `mqttServer` and `mqttTopic` to unauthenticated callers
## Proposed Solutions
### Option A: Restrict CORS to same-origin or configured origin
Replace `*` with a configurable `MESHSTREAM_ALLOWED_ORIGIN` env var. Default to `""` (same-origin only).
- **Effort:** Small
- **Risk:** Low (may break cross-origin dev setups — document the env var)
### Option B: Add optional static token auth
Add an optional `MESHSTREAM_API_TOKEN` env var. If set, require `Authorization: Bearer <token>` or `?token=<token>` on all API requests.
- **Effort:** Small-Medium
- **Risk:** Low
### Option C: No change for local-only deployments
Document that the server is intended for local/trusted network use only.
- **Effort:** Trivial
- **Cons:** Doesn't protect deployments that are inadvertently exposed
- **Risk:** Medium
## Recommended Action
_Option A at minimum (restrict CORS origin). Option B if public deployment is expected._
## Technical Details
- **Affected file:** `server/server.go`
## Acceptance Criteria
- [ ] CORS origin is not `*` in default configuration
- [ ] CORS origin is configurable via environment variable
- [ ] Status endpoint does not expose internal MQTT details without auth (or is documented as intentionally public)
## Work Log
- 2026-03-15: Identified by security-sentinel review agent
Reference in New Issue View Git Blame Copy Permalink