47 lines
2.6 KiB
Markdown
47 lines
2.6 KiB
Markdown
Status: done
|
||
|
||
# 02 — A2: Unified auth boundary for privileged and financial reads
|
||
|
||
## What to build
|
||
|
||
Replace header-presence stubs with a single auth middleware that resolves API keys, admin sessions, validator service tokens, and hive peer identity. Close leaks on financial and operator endpoints. This is the auth foundation issue; issue 01 should only apply hive auth to gossip endpoints once the helper exists.
|
||
|
||
**Code refs:**
|
||
|
||
- `packages/tracker/meshnet_tracker/server.py` — `_handle_billing_forfeit` (~2429–2464) — H3: non-empty `Authorization` only
|
||
- `packages/tracker/meshnet_tracker/server.py` — `_handle_benchmark_hop_penalty` (~2650–2658), `_handle_benchmark_results` (~2745–2748) — H3
|
||
- `packages/tracker/meshnet_tracker/server.py` — `_handle_billing_summary` (~2366–2371) — H4
|
||
- `packages/tracker/meshnet_tracker/server.py` — `_handle_billing_settlements` (~2407–2412) — H4
|
||
- `packages/tracker/meshnet_tracker/server.py` — `_handle_registry_wallets` (~2391–2405) — H4
|
||
- `packages/tracker/meshnet_tracker/server.py` — `_session_account` (~2468+), `_handle_admin_accounts` (~2588–2608) — H4
|
||
- `packages/tracker/meshnet_tracker/accounts.py` — `session_account()`, `create_session()` only (session store; not handler wiring)
|
||
|
||
Per ADR-0017 §4: forfeit → validator or admin; benchmark → admin; billing summary/settlements/registry wallets → admin session. Include the validator service token shape from `20-validator-service-token_completed.md` in the same implementation if practical.
|
||
|
||
## Test-first
|
||
|
||
1. Red: POST `/v1/billing/forfeit` with `Authorization: Bearer garbage` succeeds today — must require validator/admin identity.
|
||
2. Red: GET `/v1/billing/summary` without admin session returns 401/403.
|
||
3. Green: middleware + role checks; existing inference API-key path unchanged.
|
||
|
||
## Acceptance criteria
|
||
|
||
- [ ] Single `_require_auth(role=...)` (or equivalent) used by all privileged handlers
|
||
- [ ] Shared auth config supports admin sessions, validator service token, and hive peer HMAC/mTLS
|
||
- [ ] Forfeit accepts only validator service token or admin session — not arbitrary Bearer strings
|
||
- [ ] Financial read endpoints require admin session (alpha posture)
|
||
- [ ] Benchmark write/read require admin or service token
|
||
- [ ] Integration tests for each endpoint class (reject unauth, accept valid)
|
||
|
||
## ADR links
|
||
|
||
- [ADR-0017](../../docs/adr/0017-tracker-authentication-and-authorization.md)
|
||
|
||
## Related
|
||
|
||
- `20-validator-service-token_completed.md` — checklist for validator service token format, rotation, forfeit auth
|
||
|
||
## Blocked by
|
||
|
||
None. This issue should land before `01-c1-gossip-auth_completed.md`.
|