Skip to content

test(web): guard fail-closed bind defaults (loopback + no-token refusal)#94

Merged
xunholy merged 1 commit into
mainfrom
test/web-bind-fail-closed
Jun 24, 2026
Merged

test(web): guard fail-closed bind defaults (loopback + no-token refusal)#94
xunholy merged 1 commit into
mainfrom
test/web-bind-fail-closed

Conversation

@xunholy

@xunholy xunholy commented Jun 24, 2026

Copy link
Copy Markdown
Owner

Summary

Adds regression guards for the web server's fail-closed bind defaults, which previously had no test coverage. The server is secure-by-default — a fresh install binds to 127.0.0.1, and a non-loopback bind with no auth token is refused unless web.allow_unauthed_public is explicitly set — but nothing pinned that behavior, so a regression (flipping the default, dropping the refusal, breaking the loopback rewrite) would silently expose every /api and /ws unauthenticated on a public interface.

Guards added (internal/web/server_bind_test.go)

  • TestApplyLoopbackDefault — empty host → loopback; explicit non-loopback hosts (0.0.0.0, LAN IP) respected; unparseable input returned untouched.
  • TestIsLoopback — the classification (localhost / 127.0.0.0/8 / ::1 loopback; 0.0.0.0 + routable hosts not) shared by the bind default and the refusal.
  • TestStart_RefusesNonLoopbackWithoutToken — the safety-critical gate: Start on 0.0.0.0 with no token and default allow_unauthed_public=false returns a refusing to bind error before any socket is opened.

Verification

  • New tests pass; full internal/web suite passes
  • golangci-lint 0 issues; go vet clean

Test-only, one file — no production code changed, no release on its own; rides with the next feature release.

…-token refusal)

The web server's security posture is fail-closed by design — a fresh
install binds to 127.0.0.1, and a non-loopback bind with no auth token is
refused unless web.allow_unauthed_public is explicitly set. That posture
had no test, so a regression (flipping the default, dropping the refusal,
or breaking the loopback rewrite) would silently expose every /api and
/ws unauthenticated on a public interface.

Adds three guards in internal/web/server_bind_test.go:
- TestApplyLoopbackDefault — empty host rewrites to loopback; explicit
  non-loopback hosts (0.0.0.0, a LAN IP) are respected; unparseable input
  is returned untouched.
- TestIsLoopback — the classification (localhost / 127.0.0.0/8 / ::1 are
  loopback; 0.0.0.0 and routable hosts are not) shared by the bind
  default and the refusal.
- TestStart_RefusesNonLoopbackWithoutToken — the safety-critical gate:
  Start on 0.0.0.0 with no token and the default allow_unauthed_public=
  false returns a "refusing to bind" error before any socket is opened.

Test-only, one file; no production code changed. Verification: the new
tests pass, the full internal/web suite passes, golangci-lint 0 issues,
go vet clean. No release on its own — rides with the next feature release.
@xunholy xunholy merged commit fd388ba into main Jun 24, 2026
10 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant