fix: ensure impersonation always goes through authenticated path

julianknutsen · claude · julianknutsen · commit 9119d86bb296 · 2026-03-06T02:47:06.000+01:00
Two issues caused impersonation to silently fall back to the anonymous
public client (empty mode, no actions):

1. Auth middleware: when X-Wasteland header was missing (race condition,
   impersonation without explicit upstream), multi-wasteland users hit
   passOrBlock which let GET requests through without auth context. Now
   GET requests always default to the first upstream.

2. Cache-Control: hosted mode used "public" which let browsers cache
   responses across auth states. Changed to "private" so per-user
   responses are never served from a shared cache.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/internal/api/handlers.go b/internal/api/handlers.go
@@ -71,7 +71,7 @@ func (s *Server) handleBrowse(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	w.Header().Set("Content-Type", "application/json")
-	w.Header().Set("Cache-Control", "public, max-age=15, stale-while-revalidate=30")
+	w.Header().Set("Cache-Control", s.cacheControl())
 	w.WriteHeader(http.StatusOK)
 	if _, err := w.Write(data); err != nil {
 		slog.Warn("failed to write browse response", "error", err)
@@ -113,13 +113,22 @@ func (s *Server) handleDetail(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	w.Header().Set("Content-Type", "application/json")
-	w.Header().Set("Cache-Control", "public, max-age=15, stale-while-revalidate=30")
+	w.Header().Set("Cache-Control", s.cacheControl())
 	w.WriteHeader(http.StatusOK)
 	if _, err := w.Write(data); err != nil {
 		slog.Warn("failed to write detail response", "error", err)
 	}
 }
 
+// cacheControl returns the appropriate Cache-Control header value.
+// Hosted mode uses private caching since responses vary per user.
+func (s *Server) cacheControl() string {
+	if s.hosted {
+		return "private, max-age=15, stale-while-revalidate=30"
+	}
+	return "public, max-age=15, stale-while-revalidate=30"
+}
+
 func (s *Server) handleDashboard(w http.ResponseWriter, r *http.Request) {
 	client, ok := s.resolveClient(w, r)
 	if !ok {
diff --git a/internal/hosted/auth.go b/internal/hosted/auth.go
@@ -113,8 +113,10 @@ func (s *Server) AuthMiddleware(next http.Handler) http.Handler {
 		upstream := r.Header.Get("X-Wasteland")
 		upstreams := workspace.Upstreams()
 
-		if upstream == "" && len(upstreams) == 1 {
-			// Single-wasteland fallback for backward compat.
+		if upstream == "" && len(upstreams) > 0 && r.Method == http.MethodGet {
+			// Default to first upstream for reads when header is missing
+			// (race with frontend context init, impersonation, or
+			// single-wasteland backward compat).
 			upstream = upstreams[0].Upstream
 		}
 
