roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
59927b6ad7bddd2e78b1173dd75a6c7e1d666946
pic/api
T
History
roof 59927b6ad7 fix: whitelist peer-sync endpoint from session auth + CSRF 
/api/cells/peer-sync/permissions is called over the WireGuard tunnel
by remote cells — they have no session cookie and cannot produce a CSRF
token. The endpoint authenticates via source IP (must be in the remote
cell's vpn_subnet) and WireGuard public key instead.

Without this, the global enforce_auth hook returns 401 before the route
handler runs, so all cross-cell permission pushes fail even when the
WG tunnel and iptables rules are correct.

Also adds a test verifying the route can be reached without a session.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-01 14:59:57 -04:00
..
config
fix: WireGuard routing, DNS, service access, and UI improvements
2026-04-20 12:43:23 -04:00
routes
feat(cells): Phase 1 — permission sync between connected PICs
2026-05-01 13:12:30 -04:00
.coverage
init
2025-09-12 23:04:52 +03:00
API_DOCUMENTATION.md
init
2025-09-12 23:04:52 +03:00
app.py
fix: whitelist peer-sync endpoint from session auth + CSRF
2026-05-01 14:59:57 -04:00
auth_manager.py
feat: add authentication and authorization system
2026-04-25 15:00:06 -04:00
auth_routes.py
fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests
2026-04-27 11:30:21 -04:00
base_service_manager.py
fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests
2026-04-27 11:30:21 -04:00
calendar_manager.py
fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests
2026-04-27 11:30:21 -04:00
cell_cli.py
init
2025-09-12 23:04:52 +03:00
cell_link_manager.py
Fix Phase 1 permission sync: route push via cell-wireguard + DNAT receive
2026-05-01 13:48:49 -04:00
cell_manager.py
init
2025-09-12 23:04:52 +03:00
config_manager.py
A5: Extract all route groups into Flask blueprints (app.py -1735 lines)
2026-05-01 06:11:21 -04:00
config.py
init
2025-09-12 23:04:52 +03:00
container_manager.py
fix: silent autosave, pending dedup, domain/cell_name pending, containers access
2026-04-24 07:16:13 -04:00
Dockerfile
fix: full-tunnel default, real host routing table, peer config tunnel mode
2026-04-20 15:20:55 -04:00
email_manager.py
fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests
2026-04-27 11:30:21 -04:00
enhanced_cli.py
fix: all 214 tests passing (from 36 failures)
2026-04-19 16:43:07 -04:00
file_manager.py
fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests
2026-04-27 11:30:21 -04:00
firewall_manager.py
Fix FORWARD rule ordering: embed API-sync ACCEPT inside apply_cell_rules
2026-05-01 14:05:49 -04:00
ip_utils.py
fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests
2026-04-27 11:30:21 -04:00
log_manager.py
fix: spurious health alerts, show rotated logs, clear history button
2026-04-21 03:05:04 -04:00
managers.py
fix(P2): peer add rollback, helper failure recovery, manager extraction (A2/A3/A5)
2026-05-01 05:27:39 -04:00
network_manager.py
fix(vpn): sync WireGuard server key on startup; fix DNS zone cell_name/SOA; fix peer status UI
2026-05-01 08:05:45 -04:00
peer_registry.py
fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests
2026-04-27 11:30:21 -04:00
port_registry.py
feat: port conflict validation, autosave on Apply, extended integration tests
2026-04-24 04:45:47 -04:00
requirements.txt
feat: add comprehensive E2E test suite (Playwright + WireGuard + API)
2026-04-25 16:41:13 -04:00
routing_manager.py
feat(cells): fix PIC-to-PIC connection + add service-sharing permissions
2026-05-01 08:35:24 -04:00
service_bus.py
fix for bus
2025-09-13 14:42:32 +03:00
test_enhanced_api.py
wip: make work Services Status
2025-09-13 14:23:31 +03:00
vault_manager.py
fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests
2026-04-27 11:30:21 -04:00
wireguard_manager.py
fix: add kernel routes for cell peers after wg set
2026-05-01 14:47:22 -04:00