Skip to content

fix: bind redirection token to device AMT GUID#1133

Open
madhavilosetty-intel wants to merge 1 commit into
mainfrom
fix/redirection-token-device-binding
Open

fix: bind redirection token to device AMT GUID#1133
madhavilosetty-intel wants to merge 1 commit into
mainfrom
fix/redirection-token-device-binding

Conversation

@madhavilosetty-intel

Copy link
Copy Markdown
Contributor

The redirection JWT carried no device claim and the KVM/SOL/IDER WebSocket validated only the signature and expiry, so any valid token (including the login token) could open a session to any device.

Mint the redirection token with a deviceId claim set to the device's AMT GUID, and reject the WebSocket unless the token's deviceId is present and matches the host query param. A login token (no deviceId) and a token minted for another device are now rejected.

@madhavilosetty-intel madhavilosetty-intel requested a review from a team as a code owner July 10, 2026 22:48
@madhavilosetty-intel madhavilosetty-intel changed the title fix(redir): bind redirection token to device AMT GUID fix: bind redirection token to device AMT GUID Jul 10, 2026
@codecov

codecov Bot commented Jul 10, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 69.23077% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 43.67%. Comparing base (036fc8b) to head (80eee0f).

Files with missing lines Patch % Lines
internal/controller/ws/v1/redirect.go 63.63% 5 Missing and 3 partials ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1133      +/-   ##
==========================================
+ Coverage   43.59%   43.67%   +0.07%     
==========================================
  Files         143      143              
  Lines       13621    13633      +12     
==========================================
+ Hits         5938     5954      +16     
+ Misses       7118     7112       -6     
- Partials      565      567       +2     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@madhavilosetty-intel madhavilosetty-intel force-pushed the fix/redirection-token-device-binding branch from f161f83 to fc519c3 Compare July 10, 2026 22:50
The redirection JWT carried no device claim and the KVM/SOL/IDER
WebSocket validated only the signature and expiry, so any valid token
(including the login token) could open a session to any device.

Mint the redirection token with a deviceId claim set to the device's
AMT GUID, and reject the WebSocket unless the token's deviceId is
present and matches the host query param. A login token (no deviceId)
and a token minted for another device are now rejected.
@madhavilosetty-intel madhavilosetty-intel force-pushed the fix/redirection-token-device-binding branch from fc519c3 to 80eee0f Compare July 10, 2026 22:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant