v1.1.0: Block guest accounts from web UI login - mcr - wntrmute labs git

mc/mcr

v1.1.0 9d7043a594

Compare
v1.1.0: Block guest accounts from web UI login Stable

kyle released this 2026-03-27 06:02:27 +00:00 | 8 commits to master since this release
Summary
- The web UI now rejects MCIAS accounts with the guest role at login time, before setting the session cookie
- Defense-in-depth alongside the env:restricted MCIAS tag
- New ValidateFunc parameter on webserver.New() inspects token roles post-authentication
- Non-admin user role accounts can now browse all repositories via the web UI (previously only admin could)
Design note

MCIAS /v1/auth/login does not return roles in its response, so the web UI makes an extra ValidateToken call after login to inspect them. The result is cached for 30s. A future MCIAS change to include roles in the login response would eliminate this round-trip.

Changed files
- internal/webserver/server.go — ValidateFunc type, updated New() constructor
- internal/webserver/auth.go — Guest role check after successful login
- cmd/mcr-web/main.go — Wire validate func via authClient.ValidateToken()
- internal/webserver/server_test.go — TestLoginDeniesGuest and expanded test accounts
- ARCHITECTURE.md, PROGRESS.md, RUNBOOK.md — Documentation updates
Downloads
- Source Code (ZIP)
- Source Code (TAR.GZ)