[CRITICAL] Fix CORS configuration for cookie-based authentication #192

New Issue

Closed

opened 2026-02-02 17:25:34 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-02-02 17:25:34 +00:00

Owner

Copy Link

Problem

CORS is configured with defaults (enableCors()) which allows all origins but doesn't enable credentials. This conflicts with cookie-based auth and risks a "credentials + wildcard origin" misconfiguration.

Locations

• apps/api/src/main.ts:44 - enableCors() with defaults
• apps/web/lib/client.ts:31 - credentials: "include"

// API
app.enableCors();  // ❌ Defaults to origin: '*'

// Web client  
fetch(url, {
  credentials: "include",  // ❌ Sends cookies but CORS blocks it
});

Issues

1. Wildcard origin (*) with credentials rejected by browsers
2. Cookie-based auth won't work across origins
3. No CSRF protection
4. Potential for credentials leakage if origin checking bypassed

Impact

• CRITICAL: Authentication completely broken
• Web client cannot access API
• Session cookies not sent
• Blocks production deployment
• Security risk if wildcard + credentials misconfigured

Acceptance Criteria

• Configure explicit allowed origins list
• Enable credentials: true in CORS
• Add CSRF token protection
• Support multiple environments (dev/prod origins)
• Document CORS configuration
• Add tests for CORS headers
• Verify cookies sent successfully

Implementation

// apps/api/src/main.ts
app.enableCors({
  origin: [
    process.env.WEB_URL || 'http://localhost:3000',
    process.env.ADDITIONAL_ORIGINS?.split(',') || []
  ].flat().filter(Boolean),
  credentials: true,
  methods: ['GET', 'POST', 'PATCH', 'DELETE', 'OPTIONS'],
  allowedHeaders: ['Content-Type', 'Authorization', 'X-Workspace-Id'],
  exposedHeaders: ['X-Total-Count'],
});

// Add CSRF protection
app.use(csurf({ 
  cookie: { 
    httpOnly: true, 
    secure: process.env.NODE_ENV === 'production',
    sameSite: 'strict'
  } 
}));

// apps/web/lib/client.ts  
const csrfToken = getCsrfToken();

fetch(url, {
  credentials: "include",
  headers: {
    'Content-Type': 'application/json',
    'X-CSRF-Token': csrfToken,
  },
});

Environment Variables

# .env
WEB_URL=http://localhost:3000
ADDITIONAL_ORIGINS=https://app.example.com,https://admin.example.com

Testing

• Test API accessible from web client
• Test cookies sent with requests
• Test CORS preflight OPTIONS requests
• Test CSRF token validation
• Test unauthorized origin rejected

References

External security review findings (2026-02-02)

## Problem CORS is configured with defaults (enableCors()) which allows all origins but doesn't enable credentials. This conflicts with cookie-based auth and risks a "credentials + wildcard origin" misconfiguration. ## Locations - apps/api/src/main.ts:44 - enableCors() with defaults - apps/web/lib/client.ts:31 - credentials: "include" ```typescript // API app.enableCors(); // ❌ Defaults to origin: '*' // Web client fetch(url, { credentials: "include", // ❌ Sends cookies but CORS blocks it }); ``` ## Issues 1. Wildcard origin (*) with credentials rejected by browsers 2. Cookie-based auth won't work across origins 3. No CSRF protection 4. Potential for credentials leakage if origin checking bypassed ## Impact - **CRITICAL**: Authentication completely broken - Web client cannot access API - Session cookies not sent - Blocks production deployment - Security risk if wildcard + credentials misconfigured ## Acceptance Criteria - [ ] Configure explicit allowed origins list - [ ] Enable credentials: true in CORS - [ ] Add CSRF token protection - [ ] Support multiple environments (dev/prod origins) - [ ] Document CORS configuration - [ ] Add tests for CORS headers - [ ] Verify cookies sent successfully ## Implementation ```typescript // apps/api/src/main.ts app.enableCors({ origin: [ process.env.WEB_URL || 'http://localhost:3000', process.env.ADDITIONAL_ORIGINS?.split(',') || [] ].flat().filter(Boolean), credentials: true, methods: ['GET', 'POST', 'PATCH', 'DELETE', 'OPTIONS'], allowedHeaders: ['Content-Type', 'Authorization', 'X-Workspace-Id'], exposedHeaders: ['X-Total-Count'], }); // Add CSRF protection app.use(csurf({ cookie: { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'strict' } })); ``` ```typescript // apps/web/lib/client.ts const csrfToken = getCsrfToken(); fetch(url, { credentials: "include", headers: { 'Content-Type': 'application/json', 'X-CSRF-Token': csrfToken, }, }); ``` ## Environment Variables ```bash # .env WEB_URL=http://localhost:3000 ADDITIONAL_ORIGINS=https://app.example.com,https://admin.example.com ``` ## Testing - [ ] Test API accessible from web client - [ ] Test cookies sent with requests - [ ] Test CORS preflight OPTIONS requests - [ ] Test CSRF token validation - [ ] Test unauthorized origin rejected ## References External security review findings (2026-02-02)

jason.woltje added this to the M4.2-Infrastructure (0.0.4) milestone 2026-02-02 17:25:34 +00:00

jason.woltje added the securityauthapiapip0 labels 2026-02-02 17:25:34 +00:00

jason.woltje closed this issue 2026-02-02 18:14:01 +00:00

jason.woltje referenced this issue from a commit 2026-02-02 19:00:53 +00:00

fix(#192): fix CORS configuration for cookie-based authentication

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/orchestrator-widget-endpoints

fix/dashboard-widget-mock-data

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

v0.0.21

v0.20.0

v0.0.15

v0.0.2

Labels

Clear labels

ai

AI/LLM integration

api

Backend/API work

api

auth

Authentication

database

database

Database/schema work

devops

Docker/deployment

docs

Documentation

frontend

graph

knowledge-module

migration

Data migration

orchestrator

Orchestrator service (apps/orchestrator/)

p0

Critical priority

p1

High priority

p2

Medium priority

p3

Low priority

performance

Performance work

phase-1

phase-2

phase-3

phase-4

phase-5

plugin

MoltBot plugin work

search

security

Security-related

setup

Initial setup

testing

Testing/QA

web

Frontend work

No Label api api auth p0 security

Milestone

No items

No Milestone M4.2-Infrastructure (0.0.4)

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#192