security(TASK-8): fix M3 AIUI session check + H4 prep

M3: AIUI nginx proxy now checks session_id cookie (actual auth cookie) instead of generic session cookie. Prevents bypass with arbitrary cookie values. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 19:46:59 +00:00 · 2026-03-18 19:46:59 +00:00 · 0674cd5dad
commit 0674cd5dad
parent 0d28d28bf7
1 changed files with 7 additions and 7 deletions
--- a/image-recipe/configs/nginx-archipelago.conf
+++ b/image-recipe/configs/nginx-archipelago.conf
@ -37,7 +37,7 @@ server {

    # AIUI Claude API proxy — requires valid session cookie
    location /aiui/api/claude/ {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
            return 401 '{"error":"Unauthorized"}';
        }
        proxy_pass http://127.0.0.1:3142/;
@ -54,7 +54,7 @@ server {

    # AIUI OpenRouter API proxy — requires valid session cookie
    location /aiui/api/openrouter/ {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
            return 401 '{"error":"Unauthorized"}';
        }
        proxy_pass https://openrouter.ai/api/;
@ -69,7 +69,7 @@ server {

    # AIUI Ollama (local AI) proxy — localhost:11434
    location /aiui/api/ollama/ {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
            return 401 '{"error":"Unauthorized"}';
        }
        proxy_pass http://127.0.0.1:11434/;
@ -85,7 +85,7 @@ server {

    # AIUI web search proxy — SearXNG on port 8888
    location /aiui/api/web-search {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
            return 401 '{"error":"Unauthorized"}';
        }
        proxy_pass http://127.0.0.1:8888/search;
@ -735,7 +735,7 @@ server {
        add_header Cache-Control "no-cache, no-store, must-revalidate";
    }
    location /aiui/api/claude/ {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
            return 401 '{"error":"Unauthorized"}';
        }
        proxy_pass http://127.0.0.1:3142/;
@ -750,7 +750,7 @@ server {
        proxy_send_timeout 120s;
    }
    location /aiui/api/ollama/ {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
            return 401 '{"error":"Unauthorized"}';
        }
        proxy_pass http://127.0.0.1:11434/;
@ -764,7 +764,7 @@ server {
        # Connection header managed by nginx default
    }
    location /aiui/api/openrouter/ {
-        if ($cookie_session = "") {
+        if ($cookie_session_id = "") {
            return 401 '{"error":"Unauthorized"}';
        }
        proxy_pass https://openrouter.ai/api/;