security: configurable CORS origins, limit sentinel response body

- Add CORS_ALLOWED_ORIGINS config (comma-separated origins, default allow-all)
- CORS middleware now validates Origin header against allowlist
- Add io.LimitReader to sentinel.go (was unbounded, now 256KB)
- Include previous: agent chat auth middleware + frontend token header
This commit is contained in:
shinchan-zhai
2026-03-23 09:53:49 +08:00
parent 2b969ee668
commit 6acf925a0b
7 changed files with 88 additions and 7 deletions

View File

@@ -15,6 +15,7 @@ import {
Search,
} from 'lucide-react'
import { useLanguage } from '../contexts/LanguageContext'
import { useAuth } from '../contexts/AuthContext'
import { MarketTicker } from '../components/agent/MarketTicker'
import { PositionsPanel } from '../components/agent/PositionsPanel'
import { TraderStatusPanel } from '../components/agent/TraderStatusPanel'
@@ -227,6 +228,7 @@ interface SuggestionCard {
export function AgentChatPage() {
const { language } = useLanguage()
const { token } = useAuth()
const [sidebarOpen, setSidebarOpen] = useState(() => window.innerWidth > 1024)
const [messages, setMessages] = useState<Message[]>([])
const [input, setInput] = useState('')
@@ -315,8 +317,11 @@ export function AgentChatPage() {
try {
const res = await fetch('/api/agent/chat', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ message: msg, user_id: 1, lang: language }),
headers: {
'Content-Type': 'application/json',
...(token ? { Authorization: `Bearer ${token}` } : {}),
},
body: JSON.stringify({ message: msg, lang: language }),
})
const data = await res.json()
const responseText = data.response || data.error || 'No response'