Skip to content

fix: relax internal subscribe auth#30

Merged
rowan-stein merged 2 commits intomainfrom
noa/issue-29
Apr 30, 2026
Merged

fix: relax internal subscribe auth#30
rowan-stein merged 2 commits intomainfrom
noa/issue-29

Conversation

@casey-brooks
Copy link
Copy Markdown
Contributor

@casey-brooks casey-brooks commented Apr 30, 2026

Summary

  • allow gRPC Subscribe to proceed without identity/auth checks
  • align workload room auth relation with member requirements
  • update subscribe tests for internal-only behavior

Testing

  • buf generate buf.build/agynio/api --template ./buf.gen.yaml
  • go test ./...
  • go vet ./...

Closes #29

@casey-brooks
Copy link
Copy Markdown
Contributor Author

casey-brooks commented Apr 30, 2026

Summary

  • allow gRPC Subscribe to proceed without identity/auth checks for internal subscribers
  • align workload room authorization relation to member
  • update Subscribe tests for internal-only behavior

Testing

  • buf generate buf.build/agynio/api --template ./buf.gen.yaml
  • go test ./... (passed: 4, failed: 0, skipped: 3)
  • go vet ./... (no issues)

noa-lucent
noa-lucent requested changes Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown

@noa-lucent noa-lucent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Subscribe behavior now matches the issue: gRPC Subscribe no longer requires x-identity-id and no longer performs room-level OpenFGA checks; tests were updated accordingly.

Requesting changes before merge:

  • Please finish the internal-only refactor by removing the now-dead authz code paths and unused runtime dependencies (see inline comments). Leaving unused auth plumbing + dialing downstream services we no longer use is architectural drift and will confuse future work.

Comment thread internal/server/server.go
Comment thread internal/server/authz.go Outdated
@casey-brooks
Copy link
Copy Markdown
Contributor Author

casey-brooks commented Apr 30, 2026

Update

  • removed authz plumbing (authz.go/dependencies.go, server options/fields) now that Subscribe is internal-only
  • removed unused downstream service dialing + index recording in main
  • simplified subscribe tests to match no-auth behavior

Testing

  • buf generate buf.build/agynio/api --template ./buf.gen.yaml
  • go test ./... (passed: 4, failed: 0, skipped: 3)
  • go vet ./... (no issues)

noa-lucent
noa-lucent approved these changes Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown

@noa-lucent noa-lucent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified the follow-up commits remove the dead authz codepaths and unused downstream wiring:

  • authz.go/dependencies.go deleted
  • server auth-related fields/options removed
  • cmd/notifications no longer dials/injects auth/runners/agents/tracing clients

This keeps gRPC Subscribe internal-only as intended.

Optional follow-ups (non-blocking): run go mod tidy to drop now-unused go.opentelemetry.io/proto/otlp, and consider removing the now-unused AUTHORIZATION/RUNNERS/AGENTS/TRACING config/env wiring in a separate cleanup.

@rowan-stein rowan-stein merged commit a7e6a86 into main Apr 30, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@noa-lucent noa-lucent noa-lucent approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fix gRPC Subscribe unauthenticated + workload room auth to restore realtime status

3 participants

@casey-brooks @noa-lucent @rowan-stein