apunkt/rowboat
1
0
Fork 0
mirror of https://github.com/rowboatlabs/rowboat.git synced 2026-05-02 20:03:21 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix Bus.unsubscribe splice(-1) bug and add auth validation to copilot-stream endpoint

Browse source 
Fixes two security issues:

1. CLI Bus.unsubscribe (issue #492): Fix splice(-1,1) bug when indexOf returns -1.
   - When unsubscribe is called twice, splice(-1,1) removes the last element instead of doing nothing.
   - Guard with indexOf check before splicing.

2. Copilot stream auth validation (issue #493/#494): Return 401 when Bearer token is missing.
   - Extract and validate apiKey before passing to controller.
   - Prevents undefined apiKey from bypassing auth checks.
This commit is contained in:
fuleinist 2026-04-17 06:06:40 +08:00
parent 2133d7226f
commit e0ca073f82
3 changed files with 14 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

3
apps/cli/src/application/lib/bus.ts
View file

@ -29,7 +29,8 @@ export class InMemoryBus implements IBus {
}
this.subscribers.get(runId)!.push(handler);
return () => {
this.subscribers.get(runId)!.splice(this.subscribers.get(runId)!.indexOf(handler), 1);
const idx = this.subscribers.get(runId)!.indexOf(handler);
if (idx !== -1) this.subscribers.get(runId)!.splice(idx, 1);
};
}
}