[CherryPick 2.0] Restrict POST /configuration endpoint to loopback#3671
Open
souvikghosh04 wants to merge 1 commit into
Open
[CherryPick 2.0] Restrict POST /configuration endpoint to loopback#3671souvikghosh04 wants to merge 1 commit into
souvikghosh04 wants to merge 1 commit into
Conversation
## Summary Restrict the late-configured `POST /configuration` endpoint so it is only callable from the loopback interface, with an optional bootstrap-token check on top. ## Why `POST /configuration` is used in hosted mode (e.g. Azure Static Web Apps) to deliver the runtime config — including the database connection string — to an uninitialized DAB instance. It currently runs before the authentication middleware and has no other access control, which is more permissive than required for what is effectively a host-to-runtime bootstrap channel. ## Change In `src/Service/Startup.cs`, the existing middleware that gates `POST /configuration` now also checks `IsConfigurationRequestAuthorized(HttpContext)` and returns `403 Forbidden` if it fails. The check enforces: 1. The request must originate from a loopback address. Null `RemoteIpAddress` (in-process callers such as `TestServer`) is treated as loopback. 2. If the `DAB_CONFIG_AUTH_TOKEN` environment variable is set, the request must include a matching `X-DAB-CONFIG-AUTH` header (fixed-time comparison). The rest of the middleware ordering is unchanged. ## Backward compatibility - Azure Static Web Apps platform config injector (posts over loopback inside the container) keeps working unchanged. - Existing in-process `TestServer` tests keep working unchanged. - The bootstrap token is opt-in — when the env var is unset, behavior on loopback matches today's behavior. ## Tests - [x] Unit Tests (cherry picked from commit 7a0d7e3)
souvikghosh04
requested review from
Alekhya-Polavarapu,
Aniruddh25,
JerryNixon,
RubenCerna2079,
aaronburtle,
anushakolan,
rusamant,
sourabh1007,
stuartpa and
vadeveka
as code owners
souvikghosh04
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This cherry-pick tightens security around the late-configured bootstrap channel by restricting POST /configuration (and /configuration/v2) to loopback callers, with an optional bootstrap token check (DAB_CONFIG_AUTH_TOKEN via X-DAB-CONFIG-AUTH) using fixed-time comparison.
Changes:
- Added
Startup.IsConfigurationRequestAuthorized(HttpContext)to enforce loopback-only access and (optionally) a bootstrap token. - Wired the authorization check into the existing pre-auth middleware gate for
POST /configuration*, returning403 Forbiddenwhen unauthorized. - Added a new test suite covering the authorization matrix and end-to-end middleware behavior via
TestServer.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/Service/Startup.cs | Adds loopback + optional token authorization for late-config POST /configuration* requests and enforces it in the gating middleware. |
| src/Service.Tests/Configuration/ConfigurationEndpointAuthorizationTests.cs | Adds unit/e2e tests validating the new authorization behavior across IP/token combinations. |
RubenCerna2079
approved these changes
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cherry-pick of #3669 (commit 7a0d7e3) onto
release/2.0.Summary
Restricts the late-configured
POST /configurationendpoint to loopback callers, with an optional bootstrap token viaDAB_CONFIG_AUTH_TOKEN/X-DAB-CONFIG-AUTH(fixed-time comparison). Addresses CWE-306 on the hosted-mode bootstrap channel.Change
src/Service/Startup.cs: addedIsConfigurationRequestAuthorized(HttpContext)and wired it into the existingPOST /configurationgating middleware (returns 403 when unauthorized). NullRemoteIpAddress(in-process callers like TestServer) treated as loopback. IPv4-mapped IPv6 normalized viaMapToIPv4()beforeIPAddress.IsLoopback.src/Service.Tests/Configuration/ConfigurationEndpointAuthorizationTests.cs: 26 tests (18 unit matrix + 8 end-to-end TestServer rows).Backward compatibility
TestServercallers keep working unchanged.DAB_CONFIG_AUTH_TOKENis unset.Validation
src/Service/Startup.csauto-merged).dotnet buildclean (0 warnings, 0 errors).ConfigurationEndpointAuthorizationTestspass locally on the cherry-pick branch.