Skip to content

Develop#35

Merged
gorecodes merged 4 commits into
mainfrom
develop
May 23, 2026
Merged

Develop#35
gorecodes merged 4 commits into
mainfrom
develop

Conversation

@gorecodes

Copy link
Copy Markdown
Owner

No description provided.

gorecodes and others added 4 commits May 23, 2026 14:30
…EXT=1

ARBOR_ALLOW_PLAINTEXT=1 now bypasses the loopback-only check in addition
to the cert-not-found check. This lets users bind to a VPN interface
(e.g. WireGuard 10.x.x.x) with plain HTTP when the tunnel itself
provides confidentiality, without needing a self-signed certificate.

A WARNING is printed at startup; the error message for the default
(unset) case now mentions ARBOR_ALLOW_PLAINTEXT=1 as the escape hatch.
Documented in arbor.env.example under the VPN / private network section.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Previously session and CSRF cookies always had Secure=True, causing
browsers to reject them on plain-HTTP connections (e.g. VPN access
without TLS termination). Now secure= follows request.url.scheme so
cookies work on HTTP while remaining Secure on HTTPS.

When behind a TLS-terminating proxy the scheme is rewritten to https
via X-Forwarded-Proto (trusted proxy), so Secure is preserved there.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add Pattern C (ARBOR_ALLOW_PLAINTEXT=1 on WireGuard/VPN interface) to
  LAN access section, including Apache HTTP proxy example and the
  ProxyPassReverseCookiePath gotcha that causes duplicate cookies / CSRF
  failures
- Update ARBOR_ALLOW_PLAINTEXT config table entry: now bypasses the
  loopback-only check, not just the cert-not-found check
- Update cookie security note: Secure flag follows request.url.scheme,
  not hardcoded True
- Update TLS bind enforcement note to mention the ALLOW_PLAINTEXT escape hatch

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…n login

FakeRequest lacked a .url attribute, causing AttributeError on the
_secure = request.url.scheme == "https" line added for dynamic cookie
Secure flag. Added url=SimpleNamespace(scheme="http") to FakeRequest and
used getattr fallback in main.py for any other bare-request call sites.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@gorecodes gorecodes merged commit 85c9261 into main May 23, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant