[BLOCKER] Add authentication to coordinator integration endpoints #184

New Issue

Closed

opened 2026-02-02 17:23:38 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-02-02 17:23:38 +00:00

Owner

Copy Link

Problem

All 6 coordinator integration endpoints are completely unauthenticated, allowing external systems to create, modify, and fail jobs without any authorization.

Vulnerable Endpoints

• POST /coordinator/jobs (create jobs)
• PATCH /coordinator/jobs/:id/status (update status)
• POST /coordinator/jobs/:id/complete (mark complete)
• POST /coordinator/jobs/:id/fail (mark failed)
• PATCH /coordinator/jobs/:id/progress (update progress)
• POST /coordinator/jobs/:id/retry (retry job)

Location

apps/api/src/coordinator-integration/coordinator-integration.controller.ts

Attack Vectors

1. Create arbitrary jobs for any workspace (bypass workspace isolation)
2. Mark legitimate jobs as failed with fake error messages
3. Inject malicious data into job results
4. Cause denial of service by creating thousands of jobs
5. Access job details across all workspaces
6. No audit trail of who modified jobs

Impact

• CRITICAL: External attack surface completely unprotected
• Blocks M4.2-Infrastructure milestone completion
• Blocks production deployment
• Violates multi-tenant isolation
• No accountability for job modifications

Acceptance Criteria

• Implement CoordinatorAuthGuard with API key validation
• Apply guard to all coordinator endpoints
• Validate workspaceId against coordinator's allowed workspaces
• Add rate limiting (max 100 req/min per coordinator)
• Log all coordinator actions to audit trail
• Add coordinator registration endpoint (admin-only)
• Document coordinator authentication setup
• Add tests for auth failures

Implementation Notes

@Controller("coordinator")
@UseGuards(CoordinatorAuthGuard)  // NEW: Require API key
export class CoordinatorIntegrationController {
  @Post("jobs")
  @RequirePermission(Permission.SYSTEM_ADMIN)  // NEW: System-level auth
  async createJob(@Body() dto: CreateCoordinatorJobDto) {
    // Validate workspaceId belongs to authenticated coordinator
    // Log all coordinator actions with source identifier
  }
}

References

M4.2-Infrastructure verification report (2026-02-02)
Security review agent ID: a1b8b3f

## Problem All 6 coordinator integration endpoints are completely unauthenticated, allowing external systems to create, modify, and fail jobs without any authorization. ## Vulnerable Endpoints - POST /coordinator/jobs (create jobs) - PATCH /coordinator/jobs/:id/status (update status) - POST /coordinator/jobs/:id/complete (mark complete) - POST /coordinator/jobs/:id/fail (mark failed) - PATCH /coordinator/jobs/:id/progress (update progress) - POST /coordinator/jobs/:id/retry (retry job) ## Location apps/api/src/coordinator-integration/coordinator-integration.controller.ts ## Attack Vectors 1. Create arbitrary jobs for any workspace (bypass workspace isolation) 2. Mark legitimate jobs as failed with fake error messages 3. Inject malicious data into job results 4. Cause denial of service by creating thousands of jobs 5. Access job details across all workspaces 6. No audit trail of who modified jobs ## Impact - **CRITICAL**: External attack surface completely unprotected - Blocks M4.2-Infrastructure milestone completion - Blocks production deployment - Violates multi-tenant isolation - No accountability for job modifications ## Acceptance Criteria - [ ] Implement CoordinatorAuthGuard with API key validation - [ ] Apply guard to all coordinator endpoints - [ ] Validate workspaceId against coordinator's allowed workspaces - [ ] Add rate limiting (max 100 req/min per coordinator) - [ ] Log all coordinator actions to audit trail - [ ] Add coordinator registration endpoint (admin-only) - [ ] Document coordinator authentication setup - [ ] Add tests for auth failures ## Implementation Notes ```typescript @Controller("coordinator") @UseGuards(CoordinatorAuthGuard) // NEW: Require API key export class CoordinatorIntegrationController { @Post("jobs") @RequirePermission(Permission.SYSTEM_ADMIN) // NEW: System-level auth async createJob(@Body() dto: CreateCoordinatorJobDto) { // Validate workspaceId belongs to authenticated coordinator // Log all coordinator actions with source identifier } } ``` ## References M4.2-Infrastructure verification report (2026-02-02) Security review agent ID: a1b8b3f

jason.woltje added this to the M4.2-Infrastructure (0.0.4) milestone 2026-02-02 17:23:38 +00:00

jason.woltje added the securityapiapip0 labels 2026-02-02 17:23:38 +00:00

jason.woltje closed this issue 2026-02-02 17:53:06 +00:00

jason.woltje referenced this issue from a commit 2026-02-02 19:00:53 +00:00

fix(#184): add authentication to coordinator integration endpoints

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

v0.0.21

v0.20.0

v0.0.15

v0.0.2

Labels

Clear labels

ai

AI/LLM integration

api

Backend/API work

api

auth

Authentication

database

database

Database/schema work

devops

Docker/deployment

docs

Documentation

frontend

graph

knowledge-module

migration

Data migration

orchestrator

Orchestrator service (apps/orchestrator/)

p0

Critical priority

p1

High priority

p2

Medium priority

p3

Low priority

performance

Performance work

phase-1

phase-2

phase-3

phase-4

phase-5

plugin

MoltBot plugin work

search

security

Security-related

setup

Initial setup

testing

Testing/QA

web

Frontend work

No Label api api p0 security

Milestone

No items

No Milestone M4.2-Infrastructure (0.0.4)

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#184