@agent-relay/dashboard-server 2.0.38 → 2.0.40

package/dist/server.js

@@ -3317,6 +3317,39 @@ export async function startDashboard(portOrOptions, dataDirArg, teamDirArg, dbPa
         });
     });
     // ===== CLI Auth API (for workspace-based provider authentication) =====
+    /**
+     * Middleware to validate workspace token for internal endpoints.
+     * In cloud mode, requests to /auth/cli/* must include a valid WORKSPACE_TOKEN
+     * to prevent unauthorized access to auth sessions.
+     */
+    const validateWorkspaceToken = (req, res, next) => {
+        // Skip auth validation in local mode (no WORKSPACE_TOKEN set)
+        const expectedToken = process.env.WORKSPACE_TOKEN;
+        if (!expectedToken) {
+            return next();
+        }
+        // Extract token from Authorization header
+        const authHeader = req.headers.authorization;
+        const token = authHeader?.startsWith('Bearer ')
+            ? authHeader.substring(7)
+            : null;
+        // Use timing-safe comparison to prevent timing attacks
+        if (!token) {
+            console.warn('[dashboard] Unauthorized CLI auth request - missing workspace token');
+            return res.status(401).json({ error: 'Unauthorized - invalid workspace token' });
+        }
+        const tokenBuffer = Buffer.from(token);
+        const expectedBuffer = Buffer.from(expectedToken);
+        const isValidToken = tokenBuffer.length === expectedBuffer.length &&
+            crypto.timingSafeEqual(tokenBuffer, expectedBuffer);
+        if (!isValidToken) {
+            console.warn('[dashboard] Unauthorized CLI auth request - invalid workspace token');
+            return res.status(401).json({ error: 'Unauthorized - invalid workspace token' });
+        }
+        next();
+    };
+    // Apply workspace token validation to all CLI auth endpoints
+    app.use('/auth/cli', validateWorkspaceToken);
     /**
      * POST /auth/cli/:provider/start - Start CLI auth flow
      * Body: { useDeviceFlow?: boolean, userId?: string }
@@ -3575,9 +3608,13 @@ export async function startDashboard(portOrOptions, dataDirArg, teamDirArg, dbPa
                     lastSeen: a.lastSeen ?? new Date().toISOString(),
                 }));
             }
-            // Get messages for throughput calculation
-            const team = getTeamData();
-            const messages = team ? await getMessages(team.agents) : [];
+            // Get messages for throughput calculation - use storage directly for metrics
+            // (avoids daemon query timeouts that occur when daemon is busy)
+            let messages = [];
+            if (storage) {
+                const rows = await storage.getMessages({ limit: 100, order: 'desc' });
+                messages = rows.map(r => ({ timestamp: new Date(r.ts).toISOString() }));
+            }
             // Get session data for lifecycle metrics
             const sessions = storage?.getSessions
                 ? await storage.getSessions({ limit: 100 })
@@ -3608,9 +3645,13 @@ export async function startDashboard(portOrOptions, dataDirArg, teamDirArg, dbPa
                     lastSeen: a.lastSeen ?? new Date().toISOString(),
                 }));
             }
-            // Get messages for throughput calculation
-            const team = getTeamData();
-            const messages = team ? await getMessages(team.agents) : [];
+            // Get messages for throughput calculation - use storage directly for metrics
+            // (avoids daemon query timeouts that occur when daemon is busy)
+            let messages = [];
+            if (storage) {
+                const rows = await storage.getMessages({ limit: 100, order: 'desc' });
+                messages = rows.map(r => ({ timestamp: new Date(r.ts).toISOString() }));
+            }
             // Get session data for lifecycle metrics
             const sessions = storage?.getSessions
                 ? await storage.getSessions({ limit: 100 })