This commit is contained in:
Dobromir Popov
2026-07-04 23:02:54 +02:00
parent de52ad7aa0
commit 69b0e726b8
13 changed files with 66 additions and 39 deletions

View File

@@ -4,7 +4,7 @@ Status: ready-for-agent
## What to build
Replace header-presence stubs with a single auth middleware that resolves API keys, admin sessions, validator service tokens, and hive peer identity. Close leaks on financial and operator endpoints.
Replace header-presence stubs with a single auth middleware that resolves API keys, admin sessions, validator service tokens, and hive peer identity. Close leaks on financial and operator endpoints. This is the auth foundation issue; issue 01 should only apply hive auth to gossip endpoints once the helper exists.
**Code refs:**
@@ -16,7 +16,7 @@ Replace header-presence stubs with a single auth middleware that resolves API ke
- `packages/tracker/meshnet_tracker/server.py``_session_account` (~2468+), `_handle_admin_accounts` (~25882608) — H4
- `packages/tracker/meshnet_tracker/accounts.py``session_account()`, `create_session()` only (session store; not handler wiring)
Per ADR-0017 §4: forfeit → validator or admin; benchmark → admin; billing summary/settlements/registry wallets → admin session. Forfeit validator identity: see `20-validator-service-token.md`.
Per ADR-0017 §4: forfeit → validator or admin; benchmark → admin; billing summary/settlements/registry wallets → admin session. Include the validator service token shape from `20-validator-service-token.md` in the same implementation if practical.
## Test-first
@@ -27,6 +27,7 @@ Per ADR-0017 §4: forfeit → validator or admin; benchmark → admin; billing s
## Acceptance criteria
- [ ] Single `_require_auth(role=...)` (or equivalent) used by all privileged handlers
- [ ] Shared auth config supports admin sessions, validator service token, and hive peer HMAC/mTLS
- [ ] Forfeit accepts only validator service token or admin session — not arbitrary Bearer strings
- [ ] Financial read endpoints require admin session (alpha posture)
- [ ] Benchmark write/read require admin or service token
@@ -38,8 +39,8 @@ Per ADR-0017 §4: forfeit → validator or admin; benchmark → admin; billing s
## Related
- `20-validator-service-token.md` — validator service token format, rotation, forfeit auth
- `20-validator-service-token.md` checklist for validator service token format, rotation, forfeit auth
## Blocked by
- `01-c1-gossip-auth.md` (shared auth config)
None. This issue should land before `01-c1-gossip-auth.md`.