feat(T-AUTH-1): disable_password_auth config knob (additive)#22
Merged
Conversation
Per gocodealone-multisite SPEC.md C13/V17/T-AUTH-1.
Hosts that want passwordless-only posture set:
modules:
- name: auth
type: auth.credential
config:
disable_password_auth: true
When set on ANY registered credential module, the two password steps
(step.auth_password_hash + step.auth_password_verify) short-circuit
with {"error": "auth: password authentication disabled by host config",
"disabled": true} instead of hashing/verifying.
Backwards-compatible:
- Default false → existing behaviour unchanged.
- bcrypt + password code paths preserved; only gated.
- All 13 existing password tests continue passing.
Multi-host caveat: if multiple credentialModules share a process, ANY
one with disable=true gates passwords for the whole process. Mixed
posture requires separate plugin processes.
5 new tests cover: disable short-circuits both steps, default
remains enabled, config parse for bool/string variants, ANY-module
flag semantics.
Closes T-AUTH-1 (additive variant per scope correction). Companion
work T-AUTH-2 through T-AUTH-11 tracked at #21.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Per gocodealone-multisite SPEC.md V17 / T-AUTH-1 (scope-corrected: additive not destructive).
Adds
disable_password_auth: trueto auth.credential module config. When set on any registered module, step.auth_password_hash + step.auth_password_verify short-circuit with disabled=true. Default false → backwards-compatible.5 new tests pass. Closes part of #21.