Skip to content

fix(web): validate proxy sessions#1272

Open
GautamSharma99 wants to merge 1 commit into
supermemoryai:mainfrom
GautamSharma99:fix/validate-web-proxy-sessions
Open

fix(web): validate proxy sessions#1272
GautamSharma99 wants to merge 1 commit into
supermemoryai:mainfrom
GautamSharma99:fix/validate-web-proxy-sessions

Conversation

@GautamSharma99

Copy link
Copy Markdown
Contributor

Summary

The web proxy previously treated the presence of a Better Auth session cookie as
proof of authentication. Since getSessionCookie() only extracts the cookie
value, forged or expired cookies could pass the proxy and access protected
internal API routes.

This PR:

  • validates session cookies through Better Auth before granting access
  • rejects forged and expired cookies with 401 for API routes
  • redirects unauthenticated page requests to /login
  • fails closed when session validation is unavailable
  • preserves the existing public-route and local-development behavior

Tests

Added proxy-level regression coverage for:

  • forged session cookies
  • missing session cookies
  • expired session cookies
  • valid sessions
  • authentication backend failures

Focused tests and Biome checks pass.

The repository-wide suite currently reports unrelated pre-existing failures in
MCP network tests, Tools tests, and memory-graph render tests. Repository-wide
type checking also reports existing errors outside the changed files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant