From 43ad9b60aa586c92e78833bd7385b1ba7ae400d7 Mon Sep 17 00:00:00 2001 From: Timur Gordon <31495328+timurgordon@users.noreply.github.com> Date: Fri, 7 Nov 2025 00:33:09 +0100 Subject: [PATCH] Fix auth_verify to accept admin/user/register secrets directly - Check secrets (admin_secrets, user_secrets, register_secrets) before API keys - Allow UI to authenticate with the secrets provided in .env - Secrets now work as expected for authentication - API keys still supported as fallback for backward compatibility --- core/src/openrpc.rs | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/core/src/openrpc.rs b/core/src/openrpc.rs index e389a52..6ff87cc 100644 --- a/core/src/openrpc.rs +++ b/core/src/openrpc.rs @@ -964,6 +964,34 @@ impl SupervisorRpcServer for Arc> { let key = get_current_api_key() .ok_or_else(|| ErrorObject::owned(-32602, "Missing Authorization header", None::<()>))?; + // Check if it's an admin secret + if supervisor.has_admin_secret(&key) { + return Ok(crate::auth::AuthVerifyResponse { + valid: true, + name: "Admin Secret".to_string(), + scope: "admin".to_string(), + }); + } + + // Check if it's a user secret + if supervisor.has_user_secret(&key) { + return Ok(crate::auth::AuthVerifyResponse { + valid: true, + name: "User Secret".to_string(), + scope: "user".to_string(), + }); + } + + // Check if it's a register secret + if supervisor.has_register_secret(&key) { + return Ok(crate::auth::AuthVerifyResponse { + valid: true, + name: "Register Secret".to_string(), + scope: "register".to_string(), + }); + } + + // Check if it's an API key match supervisor.verify_api_key(&key).await { Some(api_key) => { Ok(crate::auth::AuthVerifyResponse {