mc/mcr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

1 Release 2 Tags

RSS Feed
  • v1.1.0 9d7043a594
    Compare

    v1.1.0: Block guest accounts from web UI login Stable

    kyle released this 2026-03-27 06:02:27 +00:00 | 5 commits to master since this release

    Summary

    • The web UI now rejects MCIAS accounts with the guest role at login time, before setting the session cookie
    • Defense-in-depth alongside the env:restricted MCIAS tag
    • New ValidateFunc parameter on webserver.New() inspects token roles post-authentication
    • Non-admin user role accounts can now browse all repositories via the web UI (previously only admin could)

    Design note

    MCIAS /v1/auth/login does not return roles in its response, so the web UI makes an extra ValidateToken call after login to inspect them. The result is cached for 30s. A future MCIAS change to include roles in the login response would eliminate this round-trip.

    Changed files

    • internal/webserver/server.goValidateFunc type, updated New() constructor
    • internal/webserver/auth.go — Guest role check after successful login
    • cmd/mcr-web/main.go — Wire validate func via authClient.ValidateToken()
    • internal/webserver/server_test.goTestLoginDeniesGuest and expanded test accounts
    • ARCHITECTURE.md, PROGRESS.md, RUNBOOK.md — Documentation updates
    Downloads