Skip to content

Scope the remote node token to limit the servers it can manage for backups/transfers #5476

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DaneEveritt wants to merge 1 commit into
base: 1.0-develop
Choose a base branch
from
Open

Scope the remote node token to limit the servers it can manage for backups/transfers #5476

DaneEveritt wants to merge 1 commit into from
+34 −6

Conversation

@DaneEveritt
Copy link
Member

@DaneEveritt DaneEveritt commented Dec 27, 2025

Improves the security posture of things more by limiting the servers that a node can even communicate about with the Panel.

@DaneEveritt DaneEveritt added this to the v1.12.0 milestone Dec 27, 2025
@DaneEveritt DaneEveritt added the security This issue is related to security. This does not necessarily make it high priority. label Dec 27, 2025
@QuintenQVD0
Copy link
Contributor

QuintenQVD0 commented Dec 27, 2025

Have you checked that transfers still work?

@DaneEveritt
Copy link
Member Author

DaneEveritt commented Dec 31, 2025

@QuintenQVD0 are you able to test that for me, I don't have a good setup for that. So far as I can tell they should be fine since the logic checks that either the source/dest node making the request are associated with the transfer.

Boy132
Boy132 reviewed Jan 1, 2026
View reviewed changes
app/Http/Controllers/Api/Remote/Servers/ServerDetailsController.php

$server = $this->repository->getByUuid($uuid);
if (! $server->node->is($node)) {
throw new HttpForbiddenException('Requesting node does not have permission to access this server.');
Copy link
Contributor

@Boy132 Boy132 Jan 1, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will break transfers: the destination node will call this endpoint and then error because technically the server still belongs to the source node.

For reference: pelican-dev/panel#1680

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Boy132 Boy132 Boy132 left review comments

Reviewers whose approvals may not affect merge requirements

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

security This issue is related to security. This does not necessarily make it high priority.

Projects

None yet

Milestone

v1.12.0

Development

Successfully merging this pull request may close these issues.

4 participants

@DaneEveritt @QuintenQVD0 @Boy132