🛡️ Sentinel: [HIGH] Fix CORS wildcard credentials vulnerability

[mattjoyce]

🚨 Severity: HIGH
💡 Vulnerability: The API server's CORS configuration allowed the wildcard * in AllowedOrigins while simultaneously setting Access-Control-Allow-Credentials: true.
🎯 Impact: This is a significant security risk because it attempts to allow any website to make authenticated cross-origin requests, potentially exposing sensitive data or actions to unauthorized domains. While modern browsers block this specific combination, misconfigured or non-standard clients might still exploit it, and it represents a fundamentally insecure server posture.
🔧 Fix: Updated corsMiddleware in internal/api/server.go. When the wildcard * is present in the allowedOrigins list, the middleware now explicitly sets Access-Control-Allow-Origin: * and forces Access-Control-Allow-Credentials: false. For explicitly listed origins (no wildcard), the behavior remains intact: the specific origin is allowed and credentials are permitted.
✅ Verification: Tested the internal/api package via go test -v ./internal/api/... which successfully ran the integration tests.

---

PR created automatically by Jules for task 16077443379988911092 started by @mattjoyce

Summary by CodeRabbit

• Bug Fixes

  • Improved CORS (Cross-Origin Resource Sharing) configuration handling to ensure secure credential management when wildcard origins are used.

• Documentation

  • Added guidance on CORS security vulnerability prevention.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 3b240d44-5b34-4b06-bdef-8c8f6b857629

📥 Commits

Reviewing files that changed from the base of the PR and between b4d00cc and 3d0409e.

📒 Files selected for processing (2)

• .jules/sentinel.md
• internal/api/server.go

---

📝 Walkthrough

Walkthrough

This PR addresses a CORS security issue by detecting wildcard origins in the allowlist and conditionally disabling credentials. The middleware now sets Access-Control-Allow-Credentials: false when using Access-Control-Allow-Origin: *, preventing a security misconfiguration while maintaining per-origin credential support for specific origins.

Changes

CORS Wildcard and Credentials Fix

Layer / File(s)	Summary
Security pattern documentation .jules/sentinel.md	New sentinel entry documents the insecure CORS pattern of combining wildcard origins with allowed credentials.
CORS middleware wildcard and credentials handling internal/api/server.go	corsMiddleware introduces an allowAll flag when allowedOrigins contains "*", then uses this flag to conditionally set Access-Control-Allow-Credentials: false and Access-Control-Allow-Origin: *, or else echo the request Origin with credentials enabled.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A wildcard in origins, credentials so free—
Not secure, dear reviewer, as you will see!
But this change makes it safe with a flag and a choice,
Credentials disabled when stars get a voice. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: fixing a CORS wildcard credentials vulnerability in the API server by updating the corsMiddleware logic.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel-cors-wildcard-credentials-16077443379988911092

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}