Treat secrets as API keys - unify authentication

- Updated verify_api_key() to check secrets first (admin, user, register) - Secrets are now treated as API keys with appropriate scopes - All OpenRPC methods now work with secrets (register_runner, list_runners, etc.) - Simplified auth_verify since verify_api_key handles everything - Admin UI now fully functional with admin secret from .env
2025-11-07 00:38:33 +01:00
parent 43ad9b60aa
commit d6184e7507
2 changed files with 38 additions and 28 deletions
--- a/core/src/openrpc.rs
+++ b/core/src/openrpc.rs
@@ -964,34 +964,7 @@ impl SupervisorRpcServer for Arc<Mutex<Supervisor>> {
        let key = get_current_api_key()
            .ok_or_else(|| ErrorObject::owned(-32602, "Missing Authorization header", None::<()>))?;
        
-        // Check if it's an admin secret
-        if supervisor.has_admin_secret(&key) {
-            return Ok(crate::auth::AuthVerifyResponse {
-                valid: true,
-                name: "Admin Secret".to_string(),
-                scope: "admin".to_string(),
-            });
-        }
-        
-        // Check if it's a user secret
-        if supervisor.has_user_secret(&key) {
-            return Ok(crate::auth::AuthVerifyResponse {
-                valid: true,
-                name: "User Secret".to_string(),
-                scope: "user".to_string(),
-            });
-        }
-        
-        // Check if it's a register secret
-        if supervisor.has_register_secret(&key) {
-            return Ok(crate::auth::AuthVerifyResponse {
-                valid: true,
-                name: "Register Secret".to_string(),
-                scope: "register".to_string(),
-            });
-        }
-        
-        // Check if it's an API key
+        // verify_api_key now checks secrets first, then API keys
        match supervisor.verify_api_key(&key).await {
            Some(api_key) => {
                Ok(crate::auth::AuthVerifyResponse {