Skip to content

feat: Enforce remote access restrictions on agent endpoint#3255

Merged
mtrezza merged 2 commits intoparse-community:alphafrom
mtrezza:feat/agent-access-guard
Mar 6, 2026
Merged

feat: Enforce remote access restrictions on agent endpoint#3255
mtrezza merged 2 commits intoparse-community:alphafrom
mtrezza:feat/agent-access-guard

Conversation

@mtrezza
Copy link
Member

@mtrezza mtrezza commented Mar 6, 2026
edited by coderabbitai bot
Loading

Pull Request

Issue

Enforce remote access restrictions on agent endpoint.

Tasks

  • Add tests
  • Add changes to documentation (guides, repository pages, in-code descriptions)

Summary by CodeRabbit

  • Security
    • HTTPS protocol is now enforced for remote access to the Agent API endpoint. Localhost and development environments are exempt from this requirement.
    • User configuration is mandatory for remote access requests. Requests without proper user setup are rejected.
    • Enhanced security validation distinguishes between local and remote connections, applying corresponding access restrictions.

@parse-github-assistant
Copy link

parse-github-assistant bot commented Mar 6, 2026
edited
Loading

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

@parseplatformorg
Copy link
Contributor

parseplatformorg commented Mar 6, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@coderabbitai
Copy link

coderabbitai bot commented Mar 6, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 86147a4d-67d9-4ac7-b6b8-add25deeea77

📥 Commits

Reviewing files that changed from the base of the PR and between f0ea977 and 5b5505b.

📒 Files selected for processing (2)
  • Parse-Dashboard/app.js
  • src/lib/tests/AgentAuth.test.js
📝 Walkthrough

Walkthrough

Introduces remote access security controls to the Agent API endpoint by adding an isLocalRequest() helper and enforceRemoteAccessRestrictions() middleware that enforces HTTPS and user configuration requirements for non-localhost requests. Replaces inline local-request checks throughout the authentication flow and applies the new middleware to the Agent API route.

Changes

Cohort / File(s) Summary
Remote Access Security Controls
Parse-Dashboard/app.js		 Adds isLocalRequest(req) helper function and enforceRemoteAccessRestrictions(req, res, next) middleware to enforce HTTPS and user configuration for remote access. Updates existing conditions to use the new helper and applies middleware to Agent API endpoint (POST /apps/:appId/agent) before auth/CSRF handlers.
Agent API Tests
src/lib/tests/AgentAuth.test.js		 Adds comprehensive test suites for Agent endpoint behavior in no-user mode: local access verification, remote access blocking (403 for non-HTTPS), and remote access with allowInsecureHTTP flag validation (401 with specific error message).

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Middleware as Request Middleware
    participant LocalCheck as isLocalRequest()
    participant RemoteGuard as enforceRemoteAccessRestrictions()
    participant Agent as Agent Handler

    rect rgba(100, 150, 200, 0.5)
    Note over Client,Agent: Local Request Flow
    Client->>Middleware: GET /apps/:appId/agent (localhost)
    Middleware->>LocalCheck: Check if local request
    LocalCheck-->>RemoteGuard: isLocalRequest = true
    RemoteGuard-->>Agent: Allow (localhost bypass)
    Agent-->>Client: 200 OK
    end

    rect rgba(200, 100, 100, 0.5)
    Note over Client,Agent: Remote Request Flow (No User Config)
    Client->>Middleware: GET /apps/:appId/agent (remote IP, HTTP)
    Middleware->>LocalCheck: Check if local request
    LocalCheck-->>RemoteGuard: isLocalRequest = false
    RemoteGuard->>RemoteGuard: Check user configuration
    RemoteGuard-->>Client: 401 Unauthorized (missing users)
    end

    rect rgba(200, 150, 100, 0.5)
    Note over Client,Agent: Remote Request Flow (No HTTPS)
    Client->>Middleware: GET /apps/:appId/agent (remote IP, HTTP)
    Middleware->>LocalCheck: Check if local request
    LocalCheck-->>RemoteGuard: isLocalRequest = false
    RemoteGuard->>RemoteGuard: Check if HTTPS required
    RemoteGuard-->>Client: 403 Forbidden (HTTPS required)
    end
Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly Related PRs

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@mtrezza mtrezza merged commit edef824 into parse-community:alpha Mar 6, 2026
10 of 11 checks passed
@mtrezza mtrezza deleted the feat/agent-access-guard branch March 6, 2026 18:15
parseplatformorg pushed a commit that referenced this pull request Mar 6, 2026
@semantic-release-bot
chore(release): 9.1.0-alpha.8 [skip ci]
63d9019 
# [9.1.0-alpha.8](9.1.0-alpha.7...9.1.0-alpha.8) (2026-03-06)

### Features

* Enforce remote access restrictions on `agent` endpoint ([#3255](#3255)) ([edef824](edef824))
@mtrezza mtrezza mentioned this pull request Mar 6, 2026
Open
@parseplatformorg
Copy link
Contributor

parseplatformorg commented Mar 6, 2026

🎉 This change has been released in version 9.1.0-alpha.8

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Mar 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

state:released-alpha Released as alpha version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mtrezza @parseplatformorg