Wire server.py handlers to the auth helper: forfeit requires validator service token or admin session (client API keys rejected); billing summary/ settlements/registry-wallets and benchmark endpoints require admin/service; the three gossip mutation endpoints require a fresh hive HMAC signature and outgoing gossip pushes are signed. Dashboard sends its session token on panel fetches. Existing tests updated for the new gates. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2.6 KiB
2.6 KiB
Status: done
02 — A2: Unified auth boundary for privileged and financial reads
What to build
Replace header-presence stubs with a single auth middleware that resolves API keys, admin sessions, validator service tokens, and hive peer identity. Close leaks on financial and operator endpoints. This is the auth foundation issue; issue 01 should only apply hive auth to gossip endpoints once the helper exists.
Code refs:
packages/tracker/meshnet_tracker/server.py—_handle_billing_forfeit(~2429–2464) — H3: non-emptyAuthorizationonlypackages/tracker/meshnet_tracker/server.py—_handle_benchmark_hop_penalty(~2650–2658),_handle_benchmark_results(~2745–2748) — H3packages/tracker/meshnet_tracker/server.py—_handle_billing_summary(~2366–2371) — H4packages/tracker/meshnet_tracker/server.py—_handle_billing_settlements(~2407–2412) — H4packages/tracker/meshnet_tracker/server.py—_handle_registry_wallets(~2391–2405) — H4packages/tracker/meshnet_tracker/server.py—_session_account(~2468+),_handle_admin_accounts(~2588–2608) — H4packages/tracker/meshnet_tracker/accounts.py—session_account(),create_session()only (session store; not handler wiring)
Per ADR-0017 §4: forfeit → validator or admin; benchmark → admin; billing summary/settlements/registry wallets → admin session. Include the validator service token shape from 20-validator-service-token.md in the same implementation if practical.
Test-first
- Red: POST
/v1/billing/forfeitwithAuthorization: Bearer garbagesucceeds today — must require validator/admin identity. - Red: GET
/v1/billing/summarywithout admin session returns 401/403. - Green: middleware + role checks; existing inference API-key path unchanged.
Acceptance criteria
- Single
_require_auth(role=...)(or equivalent) used by all privileged handlers - Shared auth config supports admin sessions, validator service token, and hive peer HMAC/mTLS
- Forfeit accepts only validator service token or admin session — not arbitrary Bearer strings
- Financial read endpoints require admin session (alpha posture)
- Benchmark write/read require admin or service token
- Integration tests for each endpoint class (reject unauth, accept valid)
ADR links
Related
20-validator-service-token.md— checklist for validator service token format, rotation, forfeit auth
Blocked by
None. This issue should land before 01-c1-gossip-auth.md.