Skip to content

fix: harden configs and restrict GraphQL user queries#13

Merged
cfchase merged 2 commits into
mainfrom
fix/security-review-findings
Feb 26, 2026
Merged

fix: harden configs and restrict GraphQL user queries#13
cfchase merged 2 commits into
mainfrom
fix/security-review-findings

Conversation

@cfchase
Copy link
Copy Markdown
Owner

@cfchase cfchase commented Feb 25, 2026
edited
Loading

Summary

  • Restrict --forwarded-allow-ips to 127.0.0.1 in Dockerfile
  • Require admin role for GraphQL users and user(id) queries
  • Remove credential echo from deploy.sh stdout
  • Bind MinIO S3 API port to localhost only in dev-langfuse.sh
  • Return generic error message in health check endpoint
  • Support sse MCP server type in import_flows.py
  • Add SSE heartbeat keepalive to prevent chunked connection drops through proxy layers
  • Set nginx, OAuth proxy, and OpenShift Route timeouts to 300s for long-running SSE streams
  • Fix LangFlow XDG_STATE_HOME to writable path (/tmp/langflow)

Test plan

  • Backend tests pass (223/223)
  • UAT: non-admin user blocked from { users } GraphQL query
  • UAT: admin user can still query { users }
  • UAT: { me } query unaffected for all users
  • UAT: make import succeeds with SSE-type MCP server
  • Verified Dockerfile, deploy.sh, dev-langfuse.sh changes by inspection
  • UAT: enterprise agent query streams successfully through all proxy layers (no network error)
  • UAT: SSE heartbeats keep connection alive during LangFlow processing (~5-10 min)

🤖 Generated with Claude Code

@cfchase
fix: address security review findings
86548d6 
- Restrict forwarded-allow-ips to 127.0.0.1 (was wildcard)
- Require admin for GraphQL users/user queries
- Remove admin password echo from deploy script
- Bind MinIO S3 port to localhost only
- Mask database error details in health check response
- Support SSE type in MCP server import
@cfchase cfchase changed the title fix: address security review findings fix: harden configs and restrict GraphQL user queries Feb 25, 2026
@cfchase
fix: SSE streaming timeouts and heartbeat keepalive
df68dab 
- Add SSE heartbeat to chat_messages.py to prevent chunked connection
  drops through proxy layers (nginx, OAuth proxy, OpenShift Route)
- Set nginx proxy_read_timeout/proxy_send_timeout to 300s for SSE
- Add Route timeout annotation (300s) for OpenShift HAProxy
- Add OAuth proxy UPSTREAM_TIMEOUT and FLUSH_INTERVAL settings
- Fix XDG_STATE_HOME to writable path in LangFlow Helm values
@cfchase cfchase merged commit 22d04a1 into main Feb 26, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cfchase