diff --git a/core/src/openrpc.rs b/core/src/openrpc.rs index 6ff87cc..f77177b 100644 --- a/core/src/openrpc.rs +++ b/core/src/openrpc.rs @@ -964,34 +964,7 @@ impl SupervisorRpcServer for Arc> { let key = get_current_api_key() .ok_or_else(|| ErrorObject::owned(-32602, "Missing Authorization header", None::<()>))?; - // Check if it's an admin secret - if supervisor.has_admin_secret(&key) { - return Ok(crate::auth::AuthVerifyResponse { - valid: true, - name: "Admin Secret".to_string(), - scope: "admin".to_string(), - }); - } - - // Check if it's a user secret - if supervisor.has_user_secret(&key) { - return Ok(crate::auth::AuthVerifyResponse { - valid: true, - name: "User Secret".to_string(), - scope: "user".to_string(), - }); - } - - // Check if it's a register secret - if supervisor.has_register_secret(&key) { - return Ok(crate::auth::AuthVerifyResponse { - valid: true, - name: "Register Secret".to_string(), - scope: "register".to_string(), - }); - } - - // Check if it's an API key + // verify_api_key now checks secrets first, then API keys match supervisor.verify_api_key(&key).await { Some(api_key) => { Ok(crate::auth::AuthVerifyResponse { diff --git a/core/src/supervisor.rs b/core/src/supervisor.rs index 14457c9..caf584c 100644 --- a/core/src/supervisor.rs +++ b/core/src/supervisor.rs @@ -980,7 +980,44 @@ impl Supervisor { } /// Verify an API key and return its metadata + /// Checks secrets first (admin, user, register), then stored API keys pub async fn verify_api_key(&self, key: &str) -> Option { + use chrono::Utc; + + // Check if it's an admin secret + if self.has_admin_secret(key) { + return Some(crate::auth::ApiKey { + key: key.to_string(), + name: "Admin Secret".to_string(), + scope: crate::auth::ApiKeyScope::Admin, + created_at: Utc::now().to_rfc3339(), + expires_at: None, + }); + } + + // Check if it's a user secret + if self.has_user_secret(key) { + return Some(crate::auth::ApiKey { + key: key.to_string(), + name: "User Secret".to_string(), + scope: crate::auth::ApiKeyScope::User, + created_at: Utc::now().to_rfc3339(), + expires_at: None, + }); + } + + // Check if it's a register secret + if self.has_register_secret(key) { + return Some(crate::auth::ApiKey { + key: key.to_string(), + name: "Register Secret".to_string(), + scope: crate::auth::ApiKeyScope::Registrar, + created_at: Utc::now().to_rfc3339(), + expires_at: None, + }); + } + + // Fall back to stored API keys let store = self.api_keys.lock().await; store.verify_key(key).cloned() }