feat: attach short-lived app-session token to Core integration calls (BUG-438)#197
Open
arosenan wants to merge 2 commits into
Open
feat: attach short-lived app-session token to Core integration calls (BUG-438)#197arosenan wants to merge 2 commits into
arosenan wants to merge 2 commits into
Conversation
BUG-438: public apps expose Core integration endpoints to anonymous callers by design, with nothing distinguishing a call from the served app frontend from an arbitrary request against the public endpoint. The backend now mints a short-lived, app-bound session token; the SDK fetches it lazily on the first Core integration call and replays it via the X-Base44-App-Session header. Best-effort: if minting fails the call proceeds without the header, so this is non-breaking. The backend enforces the token only once a per-app flag is enabled (observe-only until then). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
BUG-438: the session token alone only turns a one-line curl into a two-line curl (fetch token, then call the integration). Minting is now a two-step challenge-response: GET advertises whether a Turnstile challenge is required (and the public site key); the SDK renders an invisible Turnstile widget and forwards the response token via Cf-Turnstile-Response on the POST that mints the session token. Best-effort: outside a browser, or if the script/challenge fails, getToken returns null and the integration call proceeds without the header (backend is observe-only until per-app enforcement). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Public Base44 apps (
public_without_login) expose Core integration endpoints to anonymous callers by design — the app's own browser frontend invokesInvokeLLM,SendEmail, etc. with no logged-in user. The flaw tracked in BUG-438 is that nothing distinguishes a request coming from the served app from an arbitrarycurlagainst the public endpoint, so anyone can drain the owner's integration credits, send mail from the trusted sender domain, and so on.What
The backend now mints a short-lived, app-bound session token (companion backend PR). This SDK change makes the client replay it:
src/utils/app-session.ts— a lazily-caching session-token provider. On the first Core integration call itGETs/apps/{appId}/integration-session, caches the token until shortly before its TTL, and de-dupes concurrent refreshes.src/modules/integrations.ts— forCore.*calls, attaches the token via theX-Base44-App-Sessionheader.Safety / rollout
nulland the call proceeds without the header. Nothing breaks if the endpoint is unavailable.Corecalls are touched; installable/custom integrations and authenticated calls are unchanged (the header is additive and ignored for authenticated requests).Tests
tests/unit/app-session.test.ts— header attached when minted, token minted once and reused, and the best-effort path (proceeds without the header when minting fails). Full unit suite green (156 passed).npm run build+npm run lintpass.🤖 Generated with Claude Code