Claude/setup agent3 validator 01 up3 u ec zz bbm b8 zw3 qcu xjk

api/cmd/main.go

@@ -313,7 +313,7 @@ func main() {
 	notificationsHandler := handlers.NewNotificationsHandler(database)
 	searchHandler := handlers.NewSearchHandler(database)
 	// NOTE: Session snapshots now handled by streamspace-snapshots plugin
-	sessionTemplatesHandler := handlers.NewSessionTemplatesHandler(database)
+	sessionTemplatesHandler := handlers.NewSessionTemplatesHandler(database, k8sClient, eventPublisher, platform)
 	batchHandler := handlers.NewBatchHandler(database)
 	monitoringHandler := handlers.NewMonitoringHandler(database)
 	quotasHandler := handlers.NewQuotasHandler(database)
@@ -327,7 +327,7 @@ func main() {
 	securityHandler := handlers.NewSecurityHandler(database)
 	templateVersioningHandler := handlers.NewTemplateVersioningHandler(database)
 	setupHandler := handlers.NewSetupHandler(database)
-	applicationHandler := handlers.NewApplicationHandler(database, eventPublisher, platform)
+	applicationHandler := handlers.NewApplicationHandler(database, eventPublisher, k8sClient, platform)
 	// NOTE: Billing is now handled by the streamspace-billing plugin
 
 	// SECURITY: Initialize webhook authentication

api/internal/api/handlers.go

@@ -548,13 +548,14 @@ func (h *Handler) CreateSession(c *gin.Context) {
 	}
 
 	// Generate session name: {user}-{template}-{random}
-	sessionName := fmt.Sprintf("%s-%s-%s", req.User, req.Template, uuid.New().String()[:8])
+	// Use resolved templateName (from applicationId lookup or req.Template)
+	sessionName := fmt.Sprintf("%s-%s-%s", req.User, templateName, uuid.New().String()[:8])
 
 	session := &k8s.Session{
 		Name:      sessionName,
 		Namespace: h.namespace,
 		User:      req.User,
-		Template:  req.Template,
+		Template:  templateName,
 		State:     "running",
 	}
 
@@ -596,12 +597,34 @@ func (h *Handler) CreateSession(c *gin.Context) {
 	createEvent := &events.SessionCreateEvent{
 		SessionID:      sessionName,
 		UserID:         req.User,
-		TemplateID:     req.Template,
+		TemplateID:     templateName,
 		Platform:       h.platform,
 		Resources:      events.ResourceSpec{Memory: memory, CPU: cpu},
 		PersistentHome: session.PersistentHome,
 		IdleTimeout:    session.IdleTimeout,
 	}
+
+	// Add template configuration for Docker controller
+	if template != nil {
+		vncPort := 3000 // Default VNC port
+		if template.VNC != nil && template.VNC.Port > 0 {
+			vncPort = int(template.VNC.Port)
+		}
+
+		// Convert env vars to map
+		envMap := make(map[string]string)
+		for _, env := range template.Env {
+			envMap[env.Name] = env.Value
+		}
+
+		createEvent.TemplateConfig = &events.TemplateConfig{
+			Image:       template.BaseImage,
+			VNCPort:     vncPort,
+			DisplayName: template.DisplayName,
+			Env:         envMap,
+		}
+	}
+
 	if err := h.publisher.PublishSessionCreate(ctx, createEvent); err != nil {
 		log.Printf("Warning: Failed to publish session create event: %v", err)
 	}
@@ -739,11 +762,29 @@ func (h *Handler) ConnectSession(c *gin.Context) {
 		return
 	}
 
+	// Determine session readiness and URL availability
+	sessionUrl := session.Status.URL
+	message := "Connection established."
+	ready := true
+
+	if session.State == "hibernated" {
+		message = "Connection established. Session is waking from hibernation - please wait."
+		ready = false
+	} else if session.State == "pending" {
+		message = "Connection established. Session is starting up - please wait."
+		ready = false
+	} else if sessionUrl == "" {
+		// Session is running but URL not yet available (pod still initializing)
+		message = "Connection established. Waiting for session endpoint - please wait."
+		ready = false
+	}
+
 	c.JSON(http.StatusOK, gin.H{
 		"connectionId": conn.ID,
-		"sessionUrl":   session.Status.URL,
+		"sessionUrl":   sessionUrl,
 		"state":        session.State,
-		"message":      "Connection established. Session will auto-start if hibernated.",
+		"ready":        ready,
+		"message":      message,
 	})
 }
 
@@ -776,18 +817,31 @@ func (h *Handler) DisconnectSession(c *gin.Context) {
 func (h *Handler) SessionHeartbeat(c *gin.Context) {
 	// SECURITY FIX: Use request context for proper cancellation and timeout handling
 	ctx := c.Request.Context()
+	sessionID := c.Param("id")
 	connectionID := c.Query("connectionId")
 
 	if connectionID == "" {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "connectionId parameter required"})
 		return
 	}
 
-	if err := h.connTracker.UpdateHeartbeat(ctx, connectionID); err != nil {
+	// Validate that the connection belongs to the specified session
+	conn := h.connTracker.GetConnection(connectionID)
+	if conn == nil {
 		c.JSON(http.StatusNotFound, gin.H{"error": "Connection not found"})
 		return
 	}
 
+	if conn.SessionID != sessionID {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Connection does not belong to this session"})
+		return
+	}
+
+	if err := h.connTracker.UpdateHeartbeat(ctx, connectionID); err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to update heartbeat"})
+		return
+	}
+
 	c.JSON(http.StatusOK, gin.H{"status": "ok"})
 }
 

api/internal/auth/handlers.go

@@ -106,6 +106,7 @@ import (
 	"fmt"
 	"log"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/crewjam/saml"
@@ -114,6 +115,53 @@ import (
 	"github.com/streamspace/streamspace/api/internal/models"
 )
 
+// validateReturnURL validates that a return URL is safe to redirect to.
+//
+// Security Considerations:
+//   - Only allows relative URLs (starting with /)
+//   - Prevents protocol-relative URLs (//evil.com)
+//   - Prevents URLs with multiple slashes that could be exploited
+//   - Returns "/" as safe default if validation fails
+//
+// This prevents open redirect vulnerabilities where an attacker could
+// craft a URL like ?return_url=//evil.com/steal-token to redirect
+// users to malicious sites after authentication.
+func validateReturnURL(returnURL string) string {
+	// Default to home page
+	if returnURL == "" {
+		return "/"
+	}
+
+	// Must start with a single slash (relative path)
+	if !strings.HasPrefix(returnURL, "/") {
+		return "/"
+	}
+
+	// Prevent protocol-relative URLs (//evil.com)
+	if strings.HasPrefix(returnURL, "//") {
+		return "/"
+	}
+
+	// Prevent URLs that could be manipulated
+	// e.g., /\evil.com on some servers
+	if strings.ContainsAny(returnURL, "\\") {
+		return "/"
+	}
+
+	// Prevent URLs with scheme-like patterns
+	if strings.Contains(returnURL, "://") {
+		return "/"
+	}
+
+	// Prevent URLs with encoded characters that could be exploited
+	// after being decoded by the browser
+	if strings.Contains(returnURL, "%2f") || strings.Contains(returnURL, "%2F") {
+		return "/"
+	}
+
+	return returnURL
+}
+
 // AuthHandler handles authentication requests
 type AuthHandler struct {
 	userDB     *db.UserDB
@@ -303,10 +351,8 @@ func (h *AuthHandler) SAMLLogin(c *gin.Context) {
 	}
 
 	// Store return URL in cookie for post-login redirect
-	returnURL := c.Query("return_url")
-	if returnURL == "" {
-		returnURL = "/"
-	}
+	// SECURITY: Validate return URL to prevent open redirect attacks
+	returnURL := validateReturnURL(c.Query("return_url"))
 
 	// Set secure cookie with return URL (1 hour expiration)
 	c.SetCookie(

api/internal/auth/saml.go

@@ -1258,22 +1258,19 @@ func (sa *SAMLAuthenticator) SetupRoutes(router *gin.Engine) {
 		// - return_url (optional): Where to redirect after authentication
 		//   Default: "/"
 		//
-		// SECURITY NOTE: return_url should be validated to prevent open redirects
-		// TODO: Add whitelist validation for return_url
+		// SECURITY: return_url is validated to prevent open redirect attacks
 		samlGroup.GET("/login", func(c *gin.Context) {
 			// STEP 1: Get return URL from query parameter
 			// This is where user will be redirected after successful authentication
-			returnURL := c.Query("return_url")
-			if returnURL == "" {
-				returnURL = "/" // Default to home page
-			}
+			// SECURITY: Validate to prevent open redirect attacks
+			returnURL := validateReturnURL(c.Query("return_url"))
 
 			// STEP 2: Store return URL in cookie
 			// The ACS endpoint will read this cookie and redirect user after auth
 			//
 			// Cookie parameters:
 			// - Name: "saml_return_url"
-			// - Value: returnURL (e.g., "/api/sessions")
+			// - Value: returnURL (validated, e.g., "/api/sessions")
 			// - MaxAge: 3600 seconds (1 hour) - plenty of time for auth flow
 			// - Path: "/" - available to all endpoints
 			// - Domain: "" - current domain

api/internal/events/types.go

@@ -23,6 +23,16 @@ type SessionCreateEvent struct {
 	PersistentHome bool              `json:"persistent_home"`
 	IdleTimeout    string            `json:"idle_timeout"`
 	Metadata       map[string]string `json:"metadata,omitempty"`
+	// Template configuration - used by controllers to create sessions
+	TemplateConfig *TemplateConfig `json:"template_config,omitempty"`
+}
+
+// TemplateConfig holds template configuration for session creation.
+type TemplateConfig struct {
+	Image       string            `json:"image"`
+	VNCPort     int               `json:"vnc_port"`
+	DisplayName string            `json:"display_name,omitempty"`
+	Env         map[string]string `json:"env,omitempty"`
 }
 
 // SessionDeleteEvent is published when a session should be deleted.

api/internal/handlers/applications.go

@@ -47,6 +47,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/streamspace/streamspace/api/internal/db"
 	"github.com/streamspace/streamspace/api/internal/events"
+	"github.com/streamspace/streamspace/api/internal/k8s"
 	"github.com/streamspace/streamspace/api/internal/models"
 )
 
@@ -55,19 +56,24 @@ type ApplicationHandler struct {
 	db        *db.Database
 	appDB     *db.ApplicationDB
 	publisher *events.Publisher
+	k8sClient *k8s.Client
 	platform  string
+	namespace string
 }
 
 // NewApplicationHandler creates a new application handler
-func NewApplicationHandler(database *db.Database, publisher *events.Publisher, platform string) *ApplicationHandler {
+func NewApplicationHandler(database *db.Database, publisher *events.Publisher, k8sClient *k8s.Client, platform string) *ApplicationHandler {
 	if platform == "" {
 		platform = events.PlatformKubernetes
 	}
+	namespace := "streamspace" // Default namespace
 	return &ApplicationHandler{
 		db:        database,
 		appDB:     db.NewApplicationDB(database.DB()),
 		publisher: publisher,
+		k8sClient: k8sClient,
 		platform:  platform,
+		namespace: namespace,
 	}
 }
 
@@ -279,8 +285,9 @@ func (h *ApplicationHandler) InstallApplication(c *gin.Context) {
 // @Router /api/v1/applications/{id} [get]
 func (h *ApplicationHandler) GetApplication(c *gin.Context) {
 	appID := c.Param("id")
+	ctx := c.Request.Context()
 
-	app, err := h.appDB.GetApplication(c.Request.Context(), appID)
+	app, err := h.appDB.GetApplication(ctx, appID)
 	if err != nil {
 		c.JSON(http.StatusNotFound, ErrorResponse{
 			Error:   "Application not found",
@@ -289,8 +296,24 @@ func (h *ApplicationHandler) GetApplication(c *gin.Context) {
 		return
 	}
 
+	// Self-healing: Check if installation status needs to be updated
+	// If status is 'pending' or 'creating', check if the Template CRD exists
+	if app.InstallStatus == "pending" || app.InstallStatus == "creating" {
+		if h.k8sClient != nil && app.TemplateName != "" {
+			// Check if Template CRD exists in Kubernetes
+			_, err := h.k8sClient.GetTemplate(ctx, h.namespace, app.TemplateName)
+			if err == nil {
+				// Template exists! Update status to installed
+				h.updateInstallStatus(ctx, appID, "installed", "Template ready")
+				app.InstallStatus = "installed"
+				app.InstallMessage = "Template ready"
+				log.Printf("Updated installation status for %s to installed (template found)", appID)
+			}
+		}
+	}
+
 	// Get group access
-	groups, err := h.appDB.GetApplicationGroups(c.Request.Context(), appID)
+	groups, err := h.appDB.GetApplicationGroups(ctx, appID)
 	if err == nil {
 		app.Groups = groups
 	}