7179f8a5b2
Security (must-fix):
- /git smart-HTTP gate: an authenticated NON-member of a git-sync space now gets
404 (not 403), so the 403<->404 difference can no longer be used to brute-force
which spaces exist / have git-sync enabled. 403 is reserved for a MEMBER who
lacks the required role (existence already known). New gate input
userIsSpaceMember; decision-table + service specs extended.
Config (must-fix):
- Remove the dead GIT_SYNC_SSH_KEY_PATH knob (getter + validation field + two
.env.example lines) — it had zero consumers and advertised a nonexistent push
capability.
Stability/docs (warnings):
- Wire the lost-lock AbortSignal into runReceivePack -> git http-backend so the
receive-pack child is killed if the per-space lock lapses mid-write.
- Raise the divergent-`docmost` (invariant §5) push refusal from info -> warn and
surface divergentDocmost in the run status (/status).
- Comment the stale read-after-debounced-collab-write updatedAt in
importPageMarkdown (deferred §10 loop-guard must not trust it).
- Fix the Dockerfile comment: the loader uses require.resolve + dynamic import(),
it deliberately does NOT require('@docmost/git-sync').
- Merge the two near-identical space toggle handlers into one parameterized
handler; add the 2 missing en-US i18n keys for the auto-merge switch (ru-RU not
maintained for these git-sync strings, mirrored).
Tests:
- isGitSyncHttpEnabled() default-branch (unset -> isGitSyncEnabled fallback).
- agentSourceFields 'git-sync' case (source stamped, chat key omitted).
- editor-ext name-level schema contract (vendored mirror superset of editor-ext
node/mark types) + the new shared resolver + non-member 404 gate cases.
Architecture:
- Extract resolveRequestWorkspace shared by DomainMiddleware + GitHttpService
(the two real self-hosted/cloud copies; McpService has no cloud branch).
- Document the in-process setInterval multi-replica limitation + BullMQ/fencing
future direction (deferred, not implemented).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
36 lines
1.7 KiB
TypeScript
36 lines
1.7 KiB
TypeScript
import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
|
|
import { Workspace } from '@docmost/db/types/entity.types';
|
|
import { EnvironmentService } from '../../integrations/environment/environment.service';
|
|
|
|
/**
|
|
* The ONE canonical way to resolve the workspace for an incoming request:
|
|
* - self-hosted (single workspace) -> the first/default workspace;
|
|
* - cloud (multi-tenant) -> resolved by the host-header subdomain.
|
|
* Returns null when none resolves (no workspace configured, or a blank/unknown
|
|
* subdomain on cloud). `isSelfHosted()` is `!isCloud()`, so exactly one branch is
|
|
* always taken.
|
|
*
|
|
* Extracted so the self-hosted/cloud branch is not hand-duplicated. Shared by
|
|
* `DomainMiddleware` (the normal /api request path) and `GitHttpService` (the raw
|
|
* root-mounted /git smart-HTTP host, which Nest middleware does NOT run for) so
|
|
* the two cannot drift.
|
|
*
|
|
* This helper does NOT catch DB errors — callers decide: DomainMiddleware lets a
|
|
* throw bubble (as before); GitHttpService wraps it to log + treat as
|
|
* unresolvable (-> 404). A blank/missing host on cloud resolves to null rather
|
|
* than throwing.
|
|
*/
|
|
export async function resolveRequestWorkspace(
|
|
environmentService: EnvironmentService,
|
|
workspaceRepo: WorkspaceRepo,
|
|
hostHeader: string | undefined,
|
|
): Promise<Workspace | null> {
|
|
if (environmentService.isSelfHosted()) {
|
|
return (await workspaceRepo.findFirst()) ?? null;
|
|
}
|
|
// Cloud (isSelfHosted === !isCloud, so this is the only remaining branch).
|
|
const subdomain = hostHeader ? hostHeader.split('.')[0] : '';
|
|
if (!subdomain) return null;
|
|
return (await workspaceRepo.findByHostname(subdomain)) ?? null;
|
|
}
|