host: experimental unguarded create-only POST /new — editor publishes live, 173/173
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 19s
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 19s
host/blog-open-create-routes mounts POST /new with error-trapping but NO auth (create-only; no PUT/DELETE), so the SX editor can publish to the host end-to-end on the experimental subdomain. VALIDATED LIVE: editor-style form-urlencoded POST -> 303 -> post renders at /<slug>/ and lists on /. Deliberate short-lived public write hole (create-only, obscure subdomain). MUST be gated before real use: Caddy basicauth on /new, or session auth. Swap host/blog-open-create-routes -> host/blog-write-routes <resolver> to gate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -103,5 +103,8 @@ EPOCH=1
|
||||
# post detail (blog-routes LAST — the :slug catch-all must not shadow the rest).
|
||||
# Guarded write groups (auth/ACL or internal-HMAC) are added here once their
|
||||
# injected policy is supplied at wiring time.
|
||||
echo "(eval \"(host/serve $PORT (list host/feed-routes host/relations-routes host/blog-routes))\")"
|
||||
# EXPERIMENTAL: host/blog-open-create-routes mounts POST /new UNGUARDED (no
|
||||
# auth) so the editor can publish end-to-end on the experimental subdomain.
|
||||
# Create-only (no PUT/DELETE). GATE (Caddy basicauth / sessions) before real use.
|
||||
echo "(eval \"(host/serve $PORT (list host/feed-routes host/relations-routes host/blog-open-create-routes host/blog-routes))\")"
|
||||
} | exec "$SX_SERVER"
|
||||
|
||||
Reference in New Issue
Block a user