Files
neuron-tai/.scratch/alpha-hardening/issues/02-a2-unified-auth-boundary_completed.md
2026-07-13 14:14:37 +02:00

2.6 KiB
Raw Permalink Blame History

Status: done

02 — A2: Unified auth boundary for privileged and financial reads

What to build

Replace header-presence stubs with a single auth middleware that resolves API keys, admin sessions, validator service tokens, and hive peer identity. Close leaks on financial and operator endpoints. This is the auth foundation issue; issue 01 should only apply hive auth to gossip endpoints once the helper exists.

Code refs:

  • packages/tracker/meshnet_tracker/server.py_handle_billing_forfeit (~24292464) — H3: non-empty Authorization only
  • packages/tracker/meshnet_tracker/server.py_handle_benchmark_hop_penalty (~26502658), _handle_benchmark_results (~27452748) — H3
  • packages/tracker/meshnet_tracker/server.py_handle_billing_summary (~23662371) — H4
  • packages/tracker/meshnet_tracker/server.py_handle_billing_settlements (~24072412) — H4
  • packages/tracker/meshnet_tracker/server.py_handle_registry_wallets (~23912405) — H4
  • packages/tracker/meshnet_tracker/server.py_session_account (~2468+), _handle_admin_accounts (~25882608) — H4
  • packages/tracker/meshnet_tracker/accounts.pysession_account(), create_session() only (session store; not handler wiring)

Per ADR-0017 §4: forfeit → validator or admin; benchmark → admin; billing summary/settlements/registry wallets → admin session. Include the validator service token shape from 20-validator-service-token_completed.md in the same implementation if practical.

Test-first

  1. Red: POST /v1/billing/forfeit with Authorization: Bearer garbage succeeds today — must require validator/admin identity.
  2. Red: GET /v1/billing/summary without admin session returns 401/403.
  3. Green: middleware + role checks; existing inference API-key path unchanged.

Acceptance criteria

  • Single _require_auth(role=...) (or equivalent) used by all privileged handlers
  • Shared auth config supports admin sessions, validator service token, and hive peer HMAC/mTLS
  • Forfeit accepts only validator service token or admin session — not arbitrary Bearer strings
  • Financial read endpoints require admin session (alpha posture)
  • Benchmark write/read require admin or service token
  • Integration tests for each endpoint class (reject unauth, accept valid)
  • 20-validator-service-token_completed.md — checklist for validator service token format, rotation, forfeit auth

Blocked by

None. This issue should land before 01-c1-gossip-auth_completed.md.