fix: add /embed/ and /.well-known/ to self-hosting proxy whitelist#1951
Open
shashank-sn wants to merge 2 commits into
Open
fix: add /embed/ and /.well-known/ to self-hosting proxy whitelist#1951shashank-sn wants to merge 2 commits into
shashank-sn wants to merge 2 commits into
Conversation
| path.startsWith("/verify-otp") | ||
| path.startsWith("/verify-otp") || | ||
| path.startsWith("/embed/") || | ||
| path.startsWith("/.well-known/") |
Contributor
There was a problem hiding this comment.
When self-hosted production traffic reaches any dynamic route under /.well-known/, this prefix lets it bypass the proxy login gate. The inspected app has workflow routing configured under this namespace, so if any current or later handler there lacks its own auth or signature check, unauthenticated callers can reach processing endpoints that were previously blocked by the proxy.
Prompt To Fix With AI
This is a comment left during a code review.
Path: apps/web/proxy.ts
Line: 60
Comment:
**Broad Well-Known Whitelist**
When self-hosted production traffic reaches any dynamic route under `/.well-known/`, this prefix lets it bypass the proxy login gate. The inspected app has workflow routing configured under this namespace, so if any current or later handler there lacks its own auth or signature check, unauthenticated callers can reach processing endpoints that were previously blocked by the proxy.
How can I resolve this? If you propose a fix, please make it concise.…telist On self-hosted deployments (NEXT_PUBLIC_IS_CAP !== "true"), the proxy redirects unwhitelisted paths to /login. The /embed/<videoId> route breaks iframe embeds, and /.well-known/workflow/v1/* routes needed by the workflow/queue system return the SPA shell instead of routing to their handlers. Only whitelisting /.well-known/workflow/ (not the entire /.well-known/ namespace) — the workflow prefix is the specific sub-path that needs bypass, keeping other well-known URIs behind the auth gate. Fixes CapSoftware#1768, fixes CapSoftware#1774, fixes CapSoftware#1944, fixes CapSoftware#906 Co-authored-by: CommandCodeBot <noreply@commandcode.ai>
73517b3 to
732a4bd
Compare
shashank-sn
commented
Jun 29, 2026
shashank-sn
left a comment
Author
There was a problem hiding this comment.
Addressed the well-known review comment — narrowed from /.well-known/ to /.well-known/workflow/ so only the workflow queue prefix bypasses the proxy gate, not the entire well-known namespace.
Align the new /embed/ and /.well-known/workflow/ entries with the surrounding tab-indented path.startsWith calls. Co-authored-by: CommandCodeBot <noreply@commandcode.ai>
shashank-sn
commented
Jun 29, 2026
shashank-sn
left a comment
Author
There was a problem hiding this comment.
All comments addressed:
- Well-known whitelist narrowed: Changed from
/.well-known/to/.well-known/workflow/— only the workflow prefix bypasses the proxy gate now. - Indentation drift: Fixed in 795b614 — entries now tab-aligned with surrounding
path.startsWith()calls. - Trailing slash: Intentional —
/embed(without slash) and/.well-known(without slash) are non-functional paths. Only sub-routes need bypass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
/embed/and/.well-known/paths to the self-hosting proxy whitelist inapps/web/proxy.ts.On self-hosted deployments (when
NEXT_PUBLIC_IS_CAP !== "true"), the proxy middleware redirects all unwhitelisted paths to/login. Two important routes were missing:/embed/<videoId>— breaks iframe embeds on self-hosted instances. The share page works correctly because/s/is already whitelisted;/embed/was overlooked. This was fully root-caused by the community in /embed/* routes redirect to /login on self-hosted, breaking iframe embeds #1768./.well-known/workflow/v1/*— blocks the workflow/queue dispatch used by transcription, AI summaries, and video processing. The Turbopack standalone build returns the SPA HTML shell instead of routing to the handlers. Root-caused in /.well-known/workflow/v1/* routes blocked by proxy whitelist on self-hosted #1774 and Self-hosted video processing silently broken:.well-known/workflow/v1/*route handlers return the SPA HTML shell (Turbopack standalone build) #1944.Fix
Two lines added to the existing whitelist pattern:
path.startsWith("/verify-otp") || +path.startsWith("/embed/") || +path.startsWith("/.well-known/")Verification
/.well-known/path is reserved by RFC 8615 for well-known URIs — a sensible whitelist entry for workflow routes, ATproto verification, etc.Fixes #1768, #1774, #1944, #906
Greptile Summary
This PR expands the self-hosted proxy allowlist for public routes. The main changes are:
/embed/requests can reach embed pages instead of/login./.well-known/requests can reach well-known and workflow routes.apps/web/proxy.ts.Confidence Score: 4/5
The
/.well-known/allowlist entry should be tightened before merging./embed/appears to route through existing video visibility checks./.well-known/is broader than the known workflow and static well-known paths.apps/web/proxy.ts
Security Review
The broad
/.well-known/prefix creates a security-boundary risk for any handler under that namespace that does not enforce its own auth or signature checks.Important Files Changed
/embed/and/.well-known/to the self-hosted proxy allowlist; the broad well-known prefix should be narrowed or paired with route-level protection.Prompt To Fix All With AI
Reviews (1): Last reviewed commit: "fix: add /embed/ and /.well-known/ to se..." | Re-trigger Greptile
Context used: