test(web): guard fail-closed bind defaults (loopback + no-token refusal)#94
Merged
Conversation
…-token refusal) The web server's security posture is fail-closed by design — a fresh install binds to 127.0.0.1, and a non-loopback bind with no auth token is refused unless web.allow_unauthed_public is explicitly set. That posture had no test, so a regression (flipping the default, dropping the refusal, or breaking the loopback rewrite) would silently expose every /api and /ws unauthenticated on a public interface. Adds three guards in internal/web/server_bind_test.go: - TestApplyLoopbackDefault — empty host rewrites to loopback; explicit non-loopback hosts (0.0.0.0, a LAN IP) are respected; unparseable input is returned untouched. - TestIsLoopback — the classification (localhost / 127.0.0.0/8 / ::1 are loopback; 0.0.0.0 and routable hosts are not) shared by the bind default and the refusal. - TestStart_RefusesNonLoopbackWithoutToken — the safety-critical gate: Start on 0.0.0.0 with no token and the default allow_unauthed_public= false returns a "refusing to bind" error before any socket is opened. Test-only, one file; no production code changed. Verification: the new tests pass, the full internal/web suite passes, golangci-lint 0 issues, go vet clean. No release on its own — rides with the next feature release.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds regression guards for the web server's fail-closed bind defaults, which previously had no test coverage. The server is secure-by-default — a fresh install binds to
127.0.0.1, and a non-loopback bind with no auth token is refused unlessweb.allow_unauthed_publicis explicitly set — but nothing pinned that behavior, so a regression (flipping the default, dropping the refusal, breaking the loopback rewrite) would silently expose every/apiand/wsunauthenticated on a public interface.Guards added (
internal/web/server_bind_test.go)TestApplyLoopbackDefault— empty host → loopback; explicit non-loopback hosts (0.0.0.0, LAN IP) respected; unparseable input returned untouched.TestIsLoopback— the classification (localhost/127.0.0.0/8/::1loopback;0.0.0.0+ routable hosts not) shared by the bind default and the refusal.TestStart_RefusesNonLoopbackWithoutToken— the safety-critical gate:Starton0.0.0.0with no token and defaultallow_unauthed_public=falsereturns arefusing to binderror before any socket is opened.Verification
internal/websuite passesgolangci-lint0 issues;go vetcleanTest-only, one file — no production code changed, no release on its own; rides with the next feature release.