Wire server.py handlers to the auth helper: forfeit requires validator service token or admin session (client API keys rejected); billing summary/ settlements/registry-wallets and benchmark endpoints require admin/service; the three gossip mutation endpoints require a fresh hive HMAC signature and outgoing gossip pushes are signed. Dashboard sends its session token on panel fetches. Existing tests updated for the new gates. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2.0 KiB
2.0 KiB
Status: done
01 — C1: Authenticate hive gossip endpoints
What to build
Add authenticated peer identity to all tracker gossip mutation endpoints. Today any caller can push billing, account, and stats events without verification.
Code refs:
packages/tracker/meshnet_tracker/server.py—_handle_billing_gossip(~2414–2427)packages/tracker/meshnet_tracker/server.py—_handle_accounts_gossip(~2610–2623)packages/tracker/meshnet_tracker/server.py—_handle_stats_gossip(~2355–2364)packages/tracker/meshnet_tracker/billing.py—apply_events(~301–311)packages/tracker/meshnet_tracker/accounts.py—apply_events(~220–226)
Implement per ADR-0017 §3 using the auth helper/config from issue 02: shared hive HMAC (body + timestamp) or mutual TLS between configured tracker peers. Reject unauthenticated gossip with 401.
Note: /v1/gossip (node throughput fan-out, server.py ~1331) is not in scope for this issue — see ADR-0017 §3 out-of-scope note.
Test-first
- Red: unauthenticated POST to
/v1/billing/gossipapplies a credit event today — test must fail after fix. - Red: authenticated peer with valid HMAC applies events; invalid/missing auth returns 401 and
applied: 0. - Green: wire the issue-02 verifier/config (
--hive-secretor peer cert paths) into the three hive mutation endpoints.
Acceptance criteria
/v1/billing/gossip,/v1/accounts/gossip,/v1/stats/gossipreject requests without valid hive auth- Authenticated peers replicate events as today (id-dedup preserved)
- Config documented for multi-tracker dev setups
- Tests cover reject + accept paths without live network
ADR links
Blocked by
02-a2-unified-auth-boundary.md— owns shared auth middleware/config. Implement in the same PR if simpler.