Add web for Superday

[PrestigePvP]

Description 📣

Add web for Superday

Type ✨

• Bug fix
• New feature
• Improvement
• Breaking change
• Documentation

Tests 🛠️

# Here's some code block to paste some code snippets

---

• I have read the contributing guide, agreed and acknowledged the code of conduct. 📝

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds web browser support for PAM (Privileged Access Management) sessions by implementing a WebSocket-based proxy system with ECDH key exchange and AES-256-GCM encryption.

Key Changes:

• Added WebSocket server on port 8444 for browser clients to connect to the relay
• Implemented ECDH handshake with HMAC signature verification using a shared secret
• Created encrypted connection wrapper with AES-256-GCM for securing browser-to-gateway traffic
• Modified gateway to detect connection type by first byte (0x16 for mTLS CLI clients, 0x00 for web clients)
• Added support for PostgreSQL, MySQL, Redis, SSH, and Kubernetes protocols over the web proxy

Critical Security Issues:

• WebSocket CORS is configured with wildcard (*) allowing all origins, which disables CORS protection and could allow malicious websites to establish connections
• CheckOrigin returns true for all requests, bypassing WebSocket origin validation
• Bug in gateway.go:568 where prefixedVirtualConnection is created without passing firstByte, which could break the web protocol handler

Additional Concerns:

• No documentation found for this feature - how will users discover web-based PAM access for Superday?
• URL parsing from API credentials should be validated server-side to prevent SSRF attacks
• Unused code block in session expiry monitoring

Confidence Score: 1/5

• This PR has critical security vulnerabilities (wildcard CORS, disabled origin checks) and a protocol-breaking bug that will likely cause runtime failures
• Score of 1 reflects three critical issues: (1) CORS wildcard and disabled origin validation create attack vectors for malicious sites, (2) bug in gateway.go will break web proxy protocol by not passing firstByte to prefixedVirtualConnection, (3) no documentation for user-facing feature
• packages/relay/relay_ws.go (CORS security), packages/gateway-v2/gateway.go (protocol bug)

Important Files Changed

Filename	Overview
packages/relay/relay_ws.go	New WebSocket server with CORS wildcard allowing all origins and missing origin validation - critical security issues that could allow unauthorized access
packages/pam/pam-web-proxy.go	New PAM web proxy with ECDH handshake and AES-256-GCM encryption. Has unused code block and potential SSRF concerns with URL parsing
packages/pam/encrypted_conn.go	New encrypted connection wrapper using AES-256-GCM with proper frame length validation (1<<24 max) and nonce handling
packages/gateway-v2/gateway.go	Added protocol detection by first byte (0x16 for mTLS, 0x00 for web). Bug in prefixedVirtualConnection initialization missing firstByte parameter for web connections

[greptile-apps]

_{4 files reviewed, 5 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Allowing all origins (CheckOrigin: func(req *http.Request) bool { return true }) disables CORS protection completely, exposing the WebSocket endpoint to requests from any origin. This creates a security vulnerability where malicious websites can establish WebSocket connections to your relay server.

While authentication is performed separately, this still allows unauthorized origins to attempt connections and potentially exploit timing attacks or resource exhaustion.

Consider restricting to trusted origins or implement origin validation:

Suggested change

	CheckOrigin: func(req *http.Request) bool { return true },
	CheckOrigin: func(req *http.Request) bool {
	origin := req.Header.Get("Origin")
	// Add your trusted origins here
	return origin == "https://your-trusted-domain.com"
	},

[greptile-apps]

Wildcard CORS (Access-Control-Allow-Origin: *) allows any website to make requests to this endpoint, which could enable CSRF-style attacks or information disclosure.

Suggested change

	w.Header().Set("Access-Control-Allow-Origin", "*")
	w.Header().Set("Access-Control-Allow-Origin", "https://your-trusted-domain.com")

[greptile-apps]

Unused code block - fetching credentials but immediately discarding the result with _ = creds. This appears to be dead code.

Suggested change

	if creds, err := credentialsManager.GetPAMSessionCredentials(handshake.SessionID, time.Now().Add(timeUntilExpiry)); err == nil {
	_ = creds
	}
	// Pre-fetch credentials to ensure session is still valid
	if _, err := credentialsManager.GetPAMSessionCredentials(handshake.SessionID, time.Now().Add(timeUntilExpiry)); err != nil {
	log.Error().Err(err).Str("sessionId", handshake.SessionID).Msg("Failed to validate session on expiry check")
	}

[greptile-apps]

Bug: Creating prefixedVirtualConnection without passing the firstByte that was read. This means the magic byte (0x00) won't be available to the PAM web proxy handler, potentially causing protocol issues.

Suggested change

	virtualConn := &prefixedVirtualConnection{channel: channel}
	virtualConn := newPrefixedVirtualConnection(firstByte, channel)

[greptile-apps]

Verify API validates credentials.Url to prevent SSRF (e.g., blocking internal IPs like http://localhost:6443, http://169.254.169.254).