From d6184e7507275cb8875b14661aecd15fd19b65b4 Mon Sep 17 00:00:00 2001 From: Timur Gordon <31495328+timurgordon@users.noreply.github.com> Date: Fri, 7 Nov 2025 00:38:33 +0100 Subject: [PATCH] Treat secrets as API keys - unify authentication - Updated verify_api_key() to check secrets first (admin, user, register) - Secrets are now treated as API keys with appropriate scopes - All OpenRPC methods now work with secrets (register_runner, list_runners, etc.) - Simplified auth_verify since verify_api_key handles everything - Admin UI now fully functional with admin secret from .env --- core/src/openrpc.rs | 29 +---------------------------- core/src/supervisor.rs | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 28 deletions(-) diff --git a/core/src/openrpc.rs b/core/src/openrpc.rs index 6ff87cc..f77177b 100644 --- a/core/src/openrpc.rs +++ b/core/src/openrpc.rs @@ -964,34 +964,7 @@ impl SupervisorRpcServer for Arc> { let key = get_current_api_key() .ok_or_else(|| ErrorObject::owned(-32602, "Missing Authorization header", None::<()>))?; - // Check if it's an admin secret - if supervisor.has_admin_secret(&key) { - return Ok(crate::auth::AuthVerifyResponse { - valid: true, - name: "Admin Secret".to_string(), - scope: "admin".to_string(), - }); - } - - // Check if it's a user secret - if supervisor.has_user_secret(&key) { - return Ok(crate::auth::AuthVerifyResponse { - valid: true, - name: "User Secret".to_string(), - scope: "user".to_string(), - }); - } - - // Check if it's a register secret - if supervisor.has_register_secret(&key) { - return Ok(crate::auth::AuthVerifyResponse { - valid: true, - name: "Register Secret".to_string(), - scope: "register".to_string(), - }); - } - - // Check if it's an API key + // verify_api_key now checks secrets first, then API keys match supervisor.verify_api_key(&key).await { Some(api_key) => { Ok(crate::auth::AuthVerifyResponse { diff --git a/core/src/supervisor.rs b/core/src/supervisor.rs index 14457c9..caf584c 100644 --- a/core/src/supervisor.rs +++ b/core/src/supervisor.rs @@ -980,7 +980,44 @@ impl Supervisor { } /// Verify an API key and return its metadata + /// Checks secrets first (admin, user, register), then stored API keys pub async fn verify_api_key(&self, key: &str) -> Option { + use chrono::Utc; + + // Check if it's an admin secret + if self.has_admin_secret(key) { + return Some(crate::auth::ApiKey { + key: key.to_string(), + name: "Admin Secret".to_string(), + scope: crate::auth::ApiKeyScope::Admin, + created_at: Utc::now().to_rfc3339(), + expires_at: None, + }); + } + + // Check if it's a user secret + if self.has_user_secret(key) { + return Some(crate::auth::ApiKey { + key: key.to_string(), + name: "User Secret".to_string(), + scope: crate::auth::ApiKeyScope::User, + created_at: Utc::now().to_rfc3339(), + expires_at: None, + }); + } + + // Check if it's a register secret + if self.has_register_secret(key) { + return Some(crate::auth::ApiKey { + key: key.to_string(), + name: "Register Secret".to_string(), + scope: crate::auth::ApiKeyScope::Registrar, + created_at: Utc::now().to_rfc3339(), + expires_at: None, + }); + } + + // Fall back to stored API keys let store = self.api_keys.lock().await; store.verify_key(key).cloned() }