Files
neuron-tai/.scratch/alpha-hardening/issues/02-a2-unified-auth-boundary_completed.md
2026-07-13 14:14:37 +02:00

47 lines
2.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
Status: done
# 02 — A2: Unified auth boundary for privileged and financial reads
## What to build
Replace header-presence stubs with a single auth middleware that resolves API keys, admin sessions, validator service tokens, and hive peer identity. Close leaks on financial and operator endpoints. This is the auth foundation issue; issue 01 should only apply hive auth to gossip endpoints once the helper exists.
**Code refs:**
- `packages/tracker/meshnet_tracker/server.py``_handle_billing_forfeit` (~24292464) — H3: non-empty `Authorization` only
- `packages/tracker/meshnet_tracker/server.py``_handle_benchmark_hop_penalty` (~26502658), `_handle_benchmark_results` (~27452748) — H3
- `packages/tracker/meshnet_tracker/server.py``_handle_billing_summary` (~23662371) — H4
- `packages/tracker/meshnet_tracker/server.py``_handle_billing_settlements` (~24072412) — H4
- `packages/tracker/meshnet_tracker/server.py``_handle_registry_wallets` (~23912405) — H4
- `packages/tracker/meshnet_tracker/server.py``_session_account` (~2468+), `_handle_admin_accounts` (~25882608) — H4
- `packages/tracker/meshnet_tracker/accounts.py``session_account()`, `create_session()` only (session store; not handler wiring)
Per ADR-0017 §4: forfeit → validator or admin; benchmark → admin; billing summary/settlements/registry wallets → admin session. Include the validator service token shape from `20-validator-service-token_completed.md` in the same implementation if practical.
## Test-first
1. Red: POST `/v1/billing/forfeit` with `Authorization: Bearer garbage` succeeds today — must require validator/admin identity.
2. Red: GET `/v1/billing/summary` without admin session returns 401/403.
3. Green: middleware + role checks; existing inference API-key path unchanged.
## Acceptance criteria
- [ ] Single `_require_auth(role=...)` (or equivalent) used by all privileged handlers
- [ ] Shared auth config supports admin sessions, validator service token, and hive peer HMAC/mTLS
- [ ] Forfeit accepts only validator service token or admin session — not arbitrary Bearer strings
- [ ] Financial read endpoints require admin session (alpha posture)
- [ ] Benchmark write/read require admin or service token
- [ ] Integration tests for each endpoint class (reject unauth, accept valid)
## ADR links
- [ADR-0017](../../docs/adr/0017-tracker-authentication-and-authorization.md)
## Related
- `20-validator-service-token_completed.md` — checklist for validator service token format, rotation, forfeit auth
## Blocked by
None. This issue should land before `01-c1-gossip-auth_completed.md`.