Skip to content

fix: require auth in LSP middleware#9160

Merged
mscolnick merged 1 commit intomainfrom
ms/lsp-proxy
Apr 13, 2026
Merged

fix: require auth in LSP middleware#9160
mscolnick merged 1 commit intomainfrom
ms/lsp-proxy

Conversation

@mscolnick
Copy link
Copy Markdown
Contributor

No description provided.

Copilot AI review requested due to automatic review settings April 13, 2026 13:46
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 13, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
marimo-docs Ready Ready Preview, Comment Apr 13, 2026 1:47pm

Request Review

Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens access control for proxied endpoints by making the server’s ProxyMiddleware require an authenticated user by default, and adds regression tests to ensure LSP proxy routes reject unauthenticated HTTP and WebSocket traffic.

Changes:

  • Add a require_auth (default True) flag to ProxyMiddleware and reject unauthenticated HTTP/WebSocket proxy requests.
  • Update existing proxy middleware tests to supply auth where required and explicitly disable auth for static proxying.
  • Add a focused test suite validating LSP proxy auth behavior (HTTP and WebSocket).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
marimo/_server/api/middleware.py Adds auth gating to ProxyMiddleware with explicit unauthenticated rejection paths for HTTP and WebSocket.
tests/_server/api/test_middleware.py Updates proxy tests for the new default auth requirement and adds LSP proxy auth coverage.

@mscolnick mscolnick requested a review from dmadisetti April 13, 2026 13:56
@mscolnick mscolnick added the bug Something isn't working label Apr 13, 2026
@mscolnick mscolnick merged commit 936ed92 into main Apr 13, 2026
48 of 49 checks passed
@mscolnick mscolnick deleted the ms/lsp-proxy branch April 13, 2026 19:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants