Expand description
Authentication and request-guard primitives for the browser bridge.
The trust boundary, stated once: a request is trusted only if it presents the session token AND is not a cross-origin browser request; everything else is denied. A localhost bind is necessary but not sufficient — it stops off-host access but not other local users/processes, nor web pages the operator visits. See ADR-0036.
The functions here are deliberately small and operate on borrowed primitives rather than framework types so the security checks can be unit-tested in isolation from axum / tungstenite.
Enums§
- Scope
Error - Reason an outbound URL was rejected by
validate_outbound_url.
Constants§
- BRIDGE_
HEADER - Custom header every control-plane request must carry. A custom header forces a CORS preflight that the server refuses, blocking simple-request CSRF.
- BRIDGE_
HEADER_ VALUE - Required value of
BRIDGE_HEADER. - BRIDGE_
TARGET_ HEADER - Optional header selecting which connected tab a control-plane request targets.
- TOKEN_
ENV - Environment variable an operator may use to pin the session token instead of
letting the bridge generate one. Never read from argv (
ps//procexpose it).
Functions§
- bearer_
matches - Checks an
Authorizationheader value against the expected token. - constant_
time_ eq - Constant-time string comparison, to avoid leaking the token via timing.
- generate_
token - Generates a fresh random session token (256 bits, URL-safe base64).
- has_
bridge_ header - Whether the request carries the mandatory
X-Omni-Bridge: 1header. - header_
is_ safe - Rejects header names/values that could smuggle a second header or request line via CR/LF (or other control characters).
- host_
allowed - Whether
hostis an allowed loopback authority forcontrol_port. - is_
browser_ originated - Whether a request looks browser-originated and must therefore be denied.
- normalize_
request_ path - Normalises a decoded request path, rejecting traversal and control
characters. Run before the
/__bridge/routing/auth split so a percent-encoded segment cannot bypass the prefix check. - resolve_
existing_ token - Resolves an existing session token for a client.
- resolve_
token - Resolves the session token, in priority order:
- validate_
outbound_ url - Enforces the default-closed outbound scope.
- ws_
origin_ allowed - Whether a WebSocket upgrade’s
Originis permitted. - ws_
subprotocol_ token - Extracts and verifies the bridge token from WebSocket subprotocols.