Bind 12ui API keys to their configured origins by zemaj · Pull Request #1 · just-every/12ui-codex

zemaj · 2026-05-12T06:53:43Z

A stored 12ui API key could be sent to an attacker-controlled origin because key lookup did not validate the destination origin.
The unauthenticated /api/connection route allowed current origin to be changed and later used with the stored API key, enabling credential and asset exfiltration.
The change ensures API keys are only returned for the origin they were issued/configured for, preventing blind localhost/attacker-origin request attacks.

Require callers to provide the destination origin to getTwelveUiApiKey and normalize/compare origins using a new normalizeAuthOrigin and isTwelveUiAuthOrigin helper in src/server/twelveUiAuthStore.ts.
Only return an environment API key when the requested origin matches the configured TWELVE_UI_ORIGIN, and only return a stored file key when it matches the stored auth origin (modifies getTwelveUiApiKey behavior).
Add readBoundTwelveUiApiKey in src/server/twelveUi.ts and use it in submitTwelveUiHandover and fetchHandoverAsset so handover operations abort before reading assets or posting when the stored auth origin does not match the current destination origin.
Add regression tests src/server/twelveUiAuthStore.test.ts covering env-key binding, stored-key binding, and that a mismatched stored auth blocks the handover path.

Ran pnpm run typecheck and it completed successfully (no type errors).
Ran pnpm run test (Vitest) and all tests passed: 92 passed in the test suite.
Ran targeted pnpm exec vitest run src/server/twelveUiAuthStore.test.ts and src/server/connection.test.ts, and both passed.
Ran pnpm run build and the production build completed successfully.

Bind 12ui API keys to auth origins

f7d558c

zemaj added codex aardvark labels May 12, 2026 — with ChatGPT Codex Connector

Provide feedback