Treat secrets as API keys - unify authentication

- Updated verify_api_key() to check secrets first (admin, user, register) - Secrets are now treated as API keys with appropriate scopes - All OpenRPC methods now work with secrets (register_runner, list_runners, etc.) - Simplified auth_verify since verify_api_key handles everything - Admin UI now fully functional with admin secret from .env
2025-11-07 00:38:33 +01:00
parent 43ad9b60aa
commit d6184e7507
2 changed files with 38 additions and 28 deletions
--- a/core/src/openrpc.rs
+++ b/core/src/openrpc.rs
@@ -964,34 +964,7 @@ impl SupervisorRpcServer for Arc<Mutex<Supervisor>> {
        let key = get_current_api_key()
            .ok_or_else(|| ErrorObject::owned(-32602, "Missing Authorization header", None::<()>))?;
        
-        // Check if it's an admin secret
-        if supervisor.has_admin_secret(&key) {
-            return Ok(crate::auth::AuthVerifyResponse {
-                valid: true,
-                name: "Admin Secret".to_string(),
-                scope: "admin".to_string(),
-            });
-        }
-        
-        // Check if it's a user secret
-        if supervisor.has_user_secret(&key) {
-            return Ok(crate::auth::AuthVerifyResponse {
-                valid: true,
-                name: "User Secret".to_string(),
-                scope: "user".to_string(),
-            });
-        }
-        
-        // Check if it's a register secret
-        if supervisor.has_register_secret(&key) {
-            return Ok(crate::auth::AuthVerifyResponse {
-                valid: true,
-                name: "Register Secret".to_string(),
-                scope: "register".to_string(),
-            });
-        }
-        
-        // Check if it's an API key
+        // verify_api_key now checks secrets first, then API keys
        match supervisor.verify_api_key(&key).await {
            Some(api_key) => {
                Ok(crate::auth::AuthVerifyResponse {
--- a/core/src/supervisor.rs
+++ b/core/src/supervisor.rs
@@ -980,7 +980,44 @@ impl Supervisor {
    }

    /// Verify an API key and return its metadata
+    /// Checks secrets first (admin, user, register), then stored API keys
    pub async fn verify_api_key(&self, key: &str) -> Option<crate::auth::ApiKey> {
+        use chrono::Utc;
+        
+        // Check if it's an admin secret
+        if self.has_admin_secret(key) {
+            return Some(crate::auth::ApiKey {
+                key: key.to_string(),
+                name: "Admin Secret".to_string(),
+                scope: crate::auth::ApiKeyScope::Admin,
+                created_at: Utc::now().to_rfc3339(),
+                expires_at: None,
+            });
+        }
+        
+        // Check if it's a user secret
+        if self.has_user_secret(key) {
+            return Some(crate::auth::ApiKey {
+                key: key.to_string(),
+                name: "User Secret".to_string(),
+                scope: crate::auth::ApiKeyScope::User,
+                created_at: Utc::now().to_rfc3339(),
+                expires_at: None,
+            });
+        }
+        
+        // Check if it's a register secret
+        if self.has_register_secret(key) {
+            return Some(crate::auth::ApiKey {
+                key: key.to_string(),
+                name: "Register Secret".to_string(),
+                scope: crate::auth::ApiKeyScope::Registrar,
+                created_at: Utc::now().to_rfc3339(),
+                expires_at: None,
+            });
+        }
+        
+        // Fall back to stored API keys
        let store = self.api_keys.lock().await;
        store.verify_key(key).cloned()
    }