sec: apply verify_token guard to search routers and refactor dispatch…#108
Open
goyalpreeti009 wants to merge 2 commits into
Open
sec: apply verify_token guard to search routers and refactor dispatch…#108goyalpreeti009 wants to merge 2 commits into
goyalpreeti009 wants to merge 2 commits into
Conversation
Contributor
|
Hi @goyalpreeti009, thanks for your contribution! ⭐ This repository requires contributors to star the repository before a Please star the repo: https://github.com/PandyaJeet/SuperBrowser Once you've starred it, push any commit (or reopen the PR) to re-run this |
itsdakshjain
left a comment
itsdakshjain
left a comment
Contributor
There was a problem hiding this comment.
excellent security hardening with the new ipc routing, but please clean up the duplicate function signatures and the process.env fallback left in frontend/src/App.jsx before merging.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #82. Implements strict endpoint authorization on all search routes to prevent unauthorized cross-origin resource exploitation. This patch completely locks down direct HTTP endpoints over local loopback and securely routes internal app searches through Electron's Inter-Process Communication (IPC) layer.
🛠️ Changes Implemented
FastAPI Backend Protection: Modified backend/main.py to import and apply the verify_token dependency guard directly onto the seo.router, ai.router, and community.router mounting blocks.
Secure Electron IPC Listeners: Added search:seo, search:ai, and search:community handlers within main.cjs that utilize the local main process's fetchContext helper to automatically append the valid x-session-token header.
Context Bridge Exposure: Updated preload.cjs to safely expose the new search handlers to the renderer space via a search utility block.
Frontend Dispatch Refactoring: Restructured the performSearch loop inside frontend/src/App.jsx to direct all default app queries safely through window.superBrowserDesktop.search instead of issuing naked, unauthenticated HTTP network calls.
🧪 Verification Results
Direct external requests from standard web browsers (e.g., fetch('http://127.0.0.1:8000/api/search/ai?q=test')) now instantly fail with a 401 Unauthorized status code.
All internal functionalities for SuperSEO, SuperAI, and Community review load perfectly with zero regressions because the app securely signs the requests through the IPC tunnel.