mirror of
https://github.com/larksuite/cli.git
synced 2026-07-03 14:02:43 +08:00
* feat(sidecar): support multi-client identity isolation in server-demo When multiple CLI sandbox environments share a single sidecar instance, user tokens (UAT) were not isolated -- the last user to log in would overwrite previous users' tokens, causing identity cross-contamination. This change introduces per-client HMAC key isolation: - Each client gets a unique client-*.key file for data-plane HMAC signing, allowing the sidecar to identify request origin. - A new auth_bridge.go handles management endpoints (login/poll/status) with explicit client-to-feishuOpenId binding. - User token resolution is strictly bound to the matched client -- no fallback to other users' tokens when a client has no mapping. - The shared proxy.key is reused across restarts instead of regenerated, fixing a race condition when multiple sidecar instances start together. Wire protocol (sidecar package) is unchanged; existing single-client deployments are fully backward compatible. Signed-off-by: Gao Yang <grany@yeah.net> (topwin.tech) * fix(sidecar): address review feedback on filesystem and safety - Replace os.ReadFile/WriteFile/ReadDir with vfs.* equivalents for test mockability, consistent with project coding guidelines. - Limit auth bridge request body to 64KB to prevent memory exhaustion. - Log errors in saveUserMap instead of silently discarding them. - Reject client keys that collide with the shared proxy key. - Reject duplicate client keys instead of silently overwriting. Signed-off-by: Gao Yang <grany@yeah.net> (topwin.tech) * refactor(sidecar): remove workspace-specific naming and backward compat - parseClientID: only accept "client_id" field, remove legacy fallback - loadClientKeys: scan all *.key (excluding proxy.key), no prefix required - Remove legacy file migration logic in newAuthBridge - Update flag description to reflect generic key scanning Signed-off-by: Gao Yang <grany@yeah.net> (topwin.tech) * refactor(sidecar): extract multi-tenant demo and add unit tests Address review feedback from sang-neo03: 1. Extract multi-client code into sidecar/server-multi-tenant-demo/, keeping server-demo as the minimal single-tenant reference. 2. Add unit tests for the isolation guarantee: - loadClientKeys: shared-key collision and duplicate keyHex are skipped - verifyWithClientKeys: correct client matched, unknown key rejected - loadUserMap/saveUserMap: round-trip persistence across restart 3. Cross-link READMEs between server-demo and server-multi-tenant-demo. Signed-off-by: Gao Yang <grany@yeah.net> (topwin.tech) * docs(sidecar): rewrite multi-tenant demo README with problem statement and client guide - Explain the multi-app credential isolation problem (app_secret must not be exposed to client environments) - Document typical deployment topology with multiple sidecar instances - Add complete client setup guide: env vars, multi-app switching, login flow, and end-to-end workflow example - Document design decisions and management endpoint details Signed-off-by: Gao Yang <grany@yeah.net> (topwin.tech) * fix(sidecar): address CodeRabbit review feedback on tests and docs - Make TestProxyHandler_AcceptsAllowedAuthHeaders fully offline by using httptest.NewTLSServer instead of depending on open.feishu.cn - Isolate TestRun_RejectsSelfProxy config state with t.Setenv and temp dirs - Check os.MkdirAll error in test fixture setup - Add language identifiers to fenced code blocks (MD040) - Validate user-supplied CLI paths with validate.SafeInputPath Signed-off-by: Gao Yang <grany@yeah.net> (topwin.tech) --------- Signed-off-by: Gao Yang <grany@yeah.net> (topwin.tech)
52 lines
1.5 KiB
Go
52 lines
1.5 KiB
Go
// Copyright (c) 2026 Lark Technologies Pte. Ltd.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
//go:build authsidecar_multi_tenant_demo
|
|
|
|
package main
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"time"
|
|
|
|
"github.com/larksuite/cli/sidecar"
|
|
)
|
|
|
|
// newForwardClient creates an HTTP client for forwarding requests to the
|
|
// Lark API. It strips Authorization on cross-host redirects and disables
|
|
// proxy to prevent real tokens from leaking through environment proxies.
|
|
func newForwardClient() *http.Client {
|
|
transport := http.DefaultTransport.(*http.Transport).Clone()
|
|
transport.Proxy = nil // never proxy the trusted hop
|
|
return &http.Client{
|
|
Transport: transport,
|
|
Timeout: 30 * time.Second,
|
|
CheckRedirect: func(req *http.Request, via []*http.Request) error {
|
|
if len(via) >= 10 {
|
|
return fmt.Errorf("too many redirects")
|
|
}
|
|
if len(via) > 0 && req.URL.Host != via[0].URL.Host {
|
|
req.Header.Del("Authorization")
|
|
req.Header.Del(sidecar.HeaderMCPUAT)
|
|
req.Header.Del(sidecar.HeaderMCPTAT)
|
|
}
|
|
return nil
|
|
},
|
|
}
|
|
}
|
|
|
|
// isProxyHeader returns true for headers specific to the sidecar protocol.
|
|
func isProxyHeader(key string) bool {
|
|
switch http.CanonicalHeaderKey(key) {
|
|
case http.CanonicalHeaderKey(sidecar.HeaderProxyTarget),
|
|
http.CanonicalHeaderKey(sidecar.HeaderProxyIdentity),
|
|
http.CanonicalHeaderKey(sidecar.HeaderProxySignature),
|
|
http.CanonicalHeaderKey(sidecar.HeaderProxyTimestamp),
|
|
http.CanonicalHeaderKey(sidecar.HeaderBodySHA256),
|
|
http.CanonicalHeaderKey(sidecar.HeaderProxyAuthHeader):
|
|
return true
|
|
}
|
|
return false
|
|
}
|