feat: Enforce remote access restrictions on agent endpoint

[mtrezza]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.

Issue

Enforce remote access restrictions on agent endpoint.

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, in-code descriptions)

Summary by CodeRabbit

• Security
  • HTTPS protocol is now enforced for remote access to the Agent API endpoint. Localhost and development environments are exempt from this requirement.
  • User configuration is mandatory for remote access requests. Requests without proper user setup are rejected.
  • Enhanced security validation distinguishes between local and remote connections, applying corresponding access restrictions.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 86147a4d-67d9-4ac7-b6b8-add25deeea77

📥 Commits

Reviewing files that changed from the base of the PR and between f0ea977 and 5b5505b.

📒 Files selected for processing (2)

• Parse-Dashboard/app.js
• src/lib/tests/AgentAuth.test.js

---

📝 Walkthrough

Walkthrough

Introduces remote access security controls to the Agent API endpoint by adding an isLocalRequest() helper and enforceRemoteAccessRestrictions() middleware that enforces HTTPS and user configuration requirements for non-localhost requests. Replaces inline local-request checks throughout the authentication flow and applies the new middleware to the Agent API route.

Changes

Cohort / File(s)	Summary
Remote Access Security Controls Parse-Dashboard/app.js	Adds isLocalRequest(req) helper function and enforceRemoteAccessRestrictions(req, res, next) middleware to enforce HTTPS and user configuration for remote access. Updates existing conditions to use the new helper and applies middleware to Agent API endpoint (POST /apps/:appId/agent) before auth/CSRF handlers.
Agent API Tests src/lib/tests/AgentAuth.test.js	Adds comprehensive test suites for Agent endpoint behavior in no-user mode: local access verification, remote access blocking (403 for non-HTTPS), and remote access with allowInsecureHTTP flag validation (401 with specific error message).

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Middleware as Request Middleware
    participant LocalCheck as isLocalRequest()
    participant RemoteGuard as enforceRemoteAccessRestrictions()
    participant Agent as Agent Handler

    rect rgba(100, 150, 200, 0.5)
    Note over Client,Agent: Local Request Flow
    Client->>Middleware: GET /apps/:appId/agent (localhost)
    Middleware->>LocalCheck: Check if local request
    LocalCheck-->>RemoteGuard: isLocalRequest = true
    RemoteGuard-->>Agent: Allow (localhost bypass)
    Agent-->>Client: 200 OK
    end

    rect rgba(200, 100, 100, 0.5)
    Note over Client,Agent: Remote Request Flow (No User Config)
    Client->>Middleware: GET /apps/:appId/agent (remote IP, HTTP)
    Middleware->>LocalCheck: Check if local request
    LocalCheck-->>RemoteGuard: isLocalRequest = false
    RemoteGuard->>RemoteGuard: Check user configuration
    RemoteGuard-->>Client: 401 Unauthorized (missing users)
    end

    rect rgba(200, 150, 100, 0.5)
    Note over Client,Agent: Remote Request Flow (No HTTPS)
    Client->>Middleware: GET /apps/:appId/agent (remote IP, HTTP)
    Middleware->>LocalCheck: Check if local request
    LocalCheck-->>RemoteGuard: isLocalRequest = false
    RemoteGuard->>RemoteGuard: Check if HTTPS required
    RemoteGuard-->>Client: 403 Forbidden (HTTPS required)
    end

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly Related PRs

• fix: Incomplete authentication on AI Agent endpoint (GHSA-qwc3-h9mg-4582) #3224: Modifies the same /apps/:appId/agent route's middleware and auth/CSRF handling chain, introducing related changes to request processing order.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

🎉 This change has been released in version 9.1.0-alpha.8