security(TASK-8): fix M3 AIUI session check + H4 prep

M3: AIUI nginx proxy now checks session_id cookie (actual auth cookie) instead of generic session cookie. Prevents bypass with arbitrary cookie values. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 19:46:59 +00:00
parent 27f205f38a
commit c1db74ed28
1 changed files with 7 additions and 7 deletions
--- a/image-recipe/configs/nginx-archipelago.conf
+++ b/image-recipe/configs/nginx-archipelago.conf
@@ -37,7 +37,7 @@ server {

    # AIUI Claude API proxy — requires valid session cookie
    location /aiui/api/claude/ {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
            return 401 '{"error":"Unauthorized"}';
        }
        proxy_pass http://127.0.0.1:3142/;
@@ -54,7 +54,7 @@ server {

    # AIUI OpenRouter API proxy — requires valid session cookie
    location /aiui/api/openrouter/ {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
            return 401 '{"error":"Unauthorized"}';
        }
        proxy_pass https://openrouter.ai/api/;
@@ -69,7 +69,7 @@ server {

    # AIUI Ollama (local AI) proxy — localhost:11434
    location /aiui/api/ollama/ {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
            return 401 '{"error":"Unauthorized"}';
        }
        proxy_pass http://127.0.0.1:11434/;
@@ -85,7 +85,7 @@ server {

    # AIUI web search proxy — SearXNG on port 8888
    location /aiui/api/web-search {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
            return 401 '{"error":"Unauthorized"}';
        }
        proxy_pass http://127.0.0.1:8888/search;
@@ -735,7 +735,7 @@ server {
        add_header Cache-Control "no-cache, no-store, must-revalidate";
    }
    location /aiui/api/claude/ {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
            return 401 '{"error":"Unauthorized"}';
        }
        proxy_pass http://127.0.0.1:3142/;
@@ -750,7 +750,7 @@ server {
        proxy_send_timeout 120s;
    }
    location /aiui/api/ollama/ {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
            return 401 '{"error":"Unauthorized"}';
        }
        proxy_pass http://127.0.0.1:11434/;
@@ -764,7 +764,7 @@ server {
        # Connection header managed by nginx default
    }
    location /aiui/api/openrouter/ {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
            return 401 '{"error":"Unauthorized"}';
        }
        proxy_pass https://openrouter.ai/api/;