42 lines
2.0 KiB
Markdown
42 lines
2.0 KiB
Markdown
Status: done
|
||
|
||
# 01 — C1: Authenticate hive gossip endpoints
|
||
|
||
## What to build
|
||
|
||
Add authenticated peer identity to all tracker gossip mutation endpoints. Today any caller can push billing, account, and stats events without verification.
|
||
|
||
**Code refs:**
|
||
|
||
- `packages/tracker/meshnet_tracker/server.py` — `_handle_billing_gossip` (~2414–2427)
|
||
- `packages/tracker/meshnet_tracker/server.py` — `_handle_accounts_gossip` (~2610–2623)
|
||
- `packages/tracker/meshnet_tracker/server.py` — `_handle_stats_gossip` (~2355–2364)
|
||
- `packages/tracker/meshnet_tracker/billing.py` — `apply_events` (~301–311)
|
||
- `packages/tracker/meshnet_tracker/accounts.py` — `apply_events` (~220–226)
|
||
|
||
Implement per ADR-0017 §3 using the auth helper/config from issue 02: shared hive HMAC (body + timestamp) or mutual TLS between configured tracker peers. Reject unauthenticated gossip with 401.
|
||
|
||
**Note:** `/v1/gossip` (node throughput fan-out, `server.py` ~1331) is **not** in scope for this issue — see ADR-0017 §3 out-of-scope note.
|
||
|
||
## Test-first
|
||
|
||
1. Red: unauthenticated POST to `/v1/billing/gossip` applies a credit event today — test must fail after fix.
|
||
2. Red: authenticated peer with valid HMAC applies events; invalid/missing auth returns 401 and `applied: 0`.
|
||
3. Green: wire the issue-02 verifier/config (`--hive-secret` or peer cert paths) into the three hive mutation endpoints.
|
||
|
||
## Acceptance criteria
|
||
|
||
- [ ] `/v1/billing/gossip`, `/v1/accounts/gossip`, `/v1/stats/gossip` reject requests without valid hive auth
|
||
- [ ] Authenticated peers replicate events as today (id-dedup preserved)
|
||
- [ ] Config documented for multi-tracker dev setups
|
||
- [ ] Tests cover reject + accept paths without live network
|
||
|
||
## ADR links
|
||
|
||
- [ADR-0017](../../docs/adr/0017-tracker-authentication-and-authorization.md)
|
||
- [ADR-0016](../../docs/adr/0016-alpha-scope-and-known-limitations.md)
|
||
|
||
## Blocked by
|
||
|
||
- `02-a2-unified-auth-boundary_completed.md` — owns shared auth middleware/config. Implement in the same PR if simpler.
|