Skip to content

fix(api-server): register pre-auth interceptors when only GRPC_SERVICE_ACCOUNT is set#1455

Merged
mergify[bot] merged 1 commit intomainfrom
fix/bearer-token-init-guard
Apr 24, 2026
Merged

fix(api-server): register pre-auth interceptors when only GRPC_SERVICE_ACCOUNT is set#1455
mergify[bot] merged 1 commit intomainfrom
fix/bearer-token-init-guard

Conversation

@markturansky
Copy link
Copy Markdown
Contributor

@markturansky markturansky commented Apr 24, 2026
edited by coderabbitai Bot
Loading

Summary

Bug in #1452: the init() guard requires AMBIENT_API_TOKEN to be non-empty before registering gRPC pre-auth interceptors. On Stage, only GRPC_SERVICE_ACCOUNT is set — AMBIENT_API_TOKEN is not in the api-server env vars — so interceptors are never registered and the OIDC service caller logic is dead code.

Evidence

Stage api-server env vars (no AMBIENT_API_TOKEN):

AMBIENT_ENV: production
GRPC_SERVICE_ACCOUNT: {secretKeyRef: {key: clientId, name: ambient-api-server}}

Stage api-server startup logs — no bearer token init messages, confirming early return:

I0423 23:54:22.927314  Enabling JWT authentication middleware
# no "Service token auth enabled" or "OIDC service account" line

Runner pods still getting PERMISSION_DENIED on WatchSessionMessages because the interceptor that would set CallerTypeService was never registered.

Fix

Change init() guard from if token == "" to if token == "" && serviceAccount == "" — register interceptors when either env var is set.

Test plan

  • After merge + deploy, verify api-server logs show OIDC service account username: ocm-ams-service
  • Create session, tail runner logs — no PERMISSION_DENIED on WatchSessionMessages

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Bug Fixes
    • Updated gRPC authentication middleware initialization to support multiple authentication configuration options simultaneously. Bearer token interceptors are now enabled based on the presence of either authentication method, providing greater flexibility in authentication setup.

@claude
fix(api-server): register pre-auth interceptors when only GRPC_SERVIC…
0fca23c 
…E_ACCOUNT is set

The init() guard from #1452 required AMBIENT_API_TOKEN to be non-empty
before registering gRPC pre-auth interceptors. On Stage, only
GRPC_SERVICE_ACCOUNT is set (no AMBIENT_API_TOKEN), so the interceptors
were never registered and the OIDC service caller logic was dead code.

Evidence from Stage api-server startup logs — no bearer token init
messages appear, confirming early return at line 27-29:

  I0423 23:54:22.927314 Enabling JWT authentication middleware
  (no "Service token auth enabled" or "OIDC service account" log)

Fix: register interceptors when either env var is set.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@netlify
Copy link
Copy Markdown

netlify Bot commented Apr 24, 2026
edited
Loading

Deploy Preview for cheerful-kitten-f556a0 canceled.

Name Link
🔨 Latest commit 0fca23c
🔍 Latest deploy log https://app.netlify.com/projects/cheerful-kitten-f556a0/deploys/69eabe4a5c49910008db88b8

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Apr 24, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: a533a7b2-d0d9-4194-a23d-fc54c6804fad

📥 Commits

Reviewing files that changed from the base of the PR and between 85af3da and 0fca23c.

📒 Files selected for processing (1)
  • components/ambient-api-server/pkg/middleware/bearer_token.go
📝 Walkthrough

Walkthrough

Updated bearer-token gRPC interceptor registration logic in the middleware initialization to consider both AMBIENT_API_TOKEN and GRPC_SERVICE_ACCOUNT environment variables when determining whether authentication is enabled, and adjusted logging messages accordingly.

Changes

Cohort / File(s) Summary
Bearer Token Middleware Configuration
components/ambient-api-server/pkg/middleware/bearer_token.go		 Modified init() to read GRPC_SERVICE_ACCOUNT upfront and changed the enable/disable condition: interceptors are now registered unless both env vars are unset. Updated logging to report both variables when auth is disabled and to emit gRPC-only messages conditionally.
🚥 Pre-merge checks | ✅ 7 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (7 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed Title follows Conventional Commits format (fix(api-server): ...) and accurately describes the main fix: changing the guard logic to register interceptors when only GRPC_SERVICE_ACCOUNT is set.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Performance And Algorithmic Complexity ✅ Passed Guard modification (token == "" to token == "" && serviceAccount == "") introduces no algorithmic or performance regressions; constant-time interceptor operations unchanged.
Security And Secret Handling ✅ Passed Bearer token initialization is secure with constant-time comparison, no token exposure in logs or errors, and proper authorization enforcement.
Kubernetes Resource Safety ✅ Passed Kubernetes Resource Safety check is not applicable; PR contains only Go middleware code changes without Kubernetes resource manifest modifications.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/bearer-token-init-guard
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch fix/bearer-token-init-guard

Comment @coderabbitai help to get the list of available commands and usage tips.

@mergify mergify Bot added the queued label Apr 24, 2026
@mergify
Copy link
Copy Markdown
Contributor

mergify Bot commented Apr 24, 2026
edited
Loading

Merge Queue Status

  • Entered queue2026-04-24 01:00 UTC · Rule: default
  • Checks skipped · PR is already up-to-date
  • Merged2026-04-24 01:00 UTC · at 0fca23ca2573d2cfe4a4284b2bb8d0c9a950eaf5 · squash

This pull request spent 12 seconds in the queue, including 2 seconds running CI.

Required conditions to merge

@mergify mergify Bot merged commit 44893b9 into main Apr 24, 2026
57 checks passed
@mergify mergify Bot deleted the fix/bearer-token-init-guard branch April 24, 2026 01:00
@mergify mergify Bot removed the queued label Apr 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@markturansky