Conversation
psarna
force-pushed
the
tok1
branch
14 times, most recently
from
3b159d0 to
72fa00c
Compare
Adds token vault capabilities which translate auth tokens on the fly, so that the proxees do not actually ever see the real tokens. Flow: ```sh $ ./sandworm token add bearer --host api.github.com --secret "$GITHUB_API_TOKEN" created bearer mapping "api.github.com" for api.github.com * using proxy token "default" $ ./sandworm token list default - bearer api.github.com * ``` ```sh $ ./sandworm --domains api.github.com --translate-tokens time=2026-04-27T09:45:37.688+02:00 level=INFO msg="Starting proxy" addr=0.0.0.0:2137 mode=allow allowed_domains=[api.github.com] allowed_cidrs=[] blocked_domains=[] blocked_cidrs=[] time=2026-04-27T09:45:37.688+02:00 level=INFO msg="Starting admin panel" addr=127.0.0.1:2138 time=2026-04-27T09:45:37.688+02:00 level=INFO msg="Proxy started successfully" port=2137 admin_bind=127.0.0.1 mode=allow domains=[api.github.com] cidrs=[] blocked_domains=[] blocked_cidrs=[] translate_tokens=true translate_tokens_db=./sandworm.db time=2026-04-27T09:52:49.262+02:00 level=INFO msg="Proxy request" method=CONNECT host=api.github.com:443 url=//api.github.com:443 remote=127.0.0.1:58068 time=2026-04-27T09:52:59.189+02:00 level=INFO msg="Proxy request" method=CONNECT host=api.github.com:443 url=//api.github.com:443 remote=127.0.0.1:43258 time=2026-04-27T09:53:02.509+02:00 level=INFO msg="Proxy request" method=CONNECT host=api.github.com:443 url=//api.github.com:443 remote=127.0.0.1:54504 ``` ```sh $ . <(./sandworm token config) $ echo $HTTPS_PROXY http://x:sand_-khhQ0jx0wOPxaoyGajlCdchfBWB-ZXu@127.0.0.1:2137 $ curl -sSfL https://api.github.com/user | jq -r '.name,.company' Piotr Sarna poolside Revoking path: ``` $ ./sandworm token revoke revoked proxy token "default" $ ./sandworm token list default - no mappings $ curl -sSfL https://api.github.com/user | jq -r '.name,.company' curl: (22) The requested URL returned error: 401 ```
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds token vault capabilities which translate auth tokens
on the fly, so that the proxees do not actually ever see
the real tokens.
Flow:
Revoking path: