Skip to content

migration(auth): remove HS256 path + JWTSecret config (phase 2)#60

Merged
khaliqgant merged 1 commit intomainfrom
migration/relayfile-phase2-remove-hs256
Apr 24, 2026
Merged

migration(auth): remove HS256 path + JWTSecret config (phase 2)#60
khaliqgant merged 1 commit intomainfrom
migration/relayfile-phase2-remove-hs256

Conversation

@kjgbot
Copy link
Copy Markdown
Contributor

@kjgbot kjgbot commented Apr 24, 2026

What changed

  • removed the Go relayfile HS256 bearer verification branch so non-RS256 tokens now fail with unsupported jwt algorithm
  • removed JWTSecret and AcceptHS256 from internal/httpapi.ServerConfig and deleted the transition guardrails/inference block in NewServerWithConfig
  • stopped reading RELAYFILE_JWT_SECRET and RELAYFILE_VERIFIER_ACCEPT_HS256 in cmd/relayfile/main.go
  • deleted HS256-specific auth/server tests and converted the remaining bearer-auth integration coverage to RS256 + JWKS fixtures
  • updated internal/mountsync integration tests to exercise the HTTP API through RS256/JWKS as well

Why this is safe now

  • relayfile#59 already landed dual verification in Go
  • cloud#321 flipped the runtime flag in phase 1
  • cloud#326 removed the TypeScript relayfile HS256 path and the infra bindings
  • the dual-verify/flag-flip soak was clean, so JWKS-backed RS256 is now the only intended bearer path

Not touched

  • the canonical JWKS / RS256 verifier path remains intact
  • wks / workspace_id and sub / agent_name claim normalization remains covered
  • internal HMAC webhook authentication is unchanged

Test plan

  • go vet ./...
  • go test ./internal/httpapi/...
  • go test ./...
  • go build ./...

Rollback

Revert this PR and re-add the removed secret / flag binding at the infra level as a two-step rollback if HS256 acceptance must be restored.

@claude
migration(auth): remove Go relayfile HS256 verifier path
b6ef5f8 
Delete the HS256 bearer verification branch, remove JWTSecret and AcceptHS256 from ServerConfig, stop reading RELAYFILE_JWT_SECRET and RELAYFILE_VERIFIER_ACCEPT_HS256, and convert the affected auth/http/mountsync tests to RS256 JWKS fixtures.

Cloud phase 2 removed the TypeScript relayfile HS256 path in cloud#326 after the dual-verify rollout from relayfile#59 and the cloud#321 flag flip soaked clean, so Go can now enforce the canonical JWKS verifier path only.

Keep the JWKS RS256 verifier, the wks/workspace_id dual-claim normalization, and the internal HMAC webhook authentication unchanged.

Rollback: revert this commit and re-add the removed secret/flag binding in infra as a two-step rollback if HS256 must be restored.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@kjgbot kjgbot mentioned this pull request Apr 24, 2026
Merged
2 tasks
@khaliqgant khaliqgant merged commit 5700ca0 into main Apr 24, 2026
9 of 11 checks passed
@khaliqgant khaliqgant deleted the migration/relayfile-phase2-remove-hs256 branch April 24, 2026 09:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kjgbot @khaliqgant