feat(agent-service): add opt-in access control and per-user isolation#5275
Open
bobbai00 wants to merge 1 commit into
Open
feat(agent-service): add opt-in access control and per-user isolation#5275bobbai00 wants to merge 1 commit into
bobbai00 wants to merge 1 commit into
Conversation
Agents were reachable by anyone who could supply a (sequential, guessable)
id, GET /agents was global, and tokens were only base64-decoded, never
signature-verified.
- Verify user JWTs with HS256 against AUTH_JWT_SECRET (matches the backend
JwtAuth: required sub/exp, 30s skew) instead of decoding only.
- Bind each agent to the owning user's uid at creation; authorize every
/:id route and the WebSocket handshake; scope GET /agents to the caller.
- Replace the enumerable agent-${counter} ids with random UUIDs.
- Enforcement is opt-in via AGENT_AUTH_REQUIRED (default off), so existing
deployments are unaffected until enabled; the frontend now sends the token
(Authorization header for HTTP, access-token query param for the WS).
Closes apache#5268
github-actions
Bot
added
feature
frontend
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #5275 +/- ##
============================================
+ Coverage 49.01% 49.25% +0.23%
Complexity 2378 2378
============================================
Files 1050 1051 +1
Lines 40336 40465 +129
Branches 4277 4279 +2
============================================
+ Hits 19772 19932 +160
+ Misses 19407 19377 -30
+ Partials 1157 1156 -1
*This pull request uses carry forward flags. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this PR?
The agent service had no real access control: any caller who supplied an agent id could read or drive any agent, ids were sequential (
agent-${counter}),GET /agentsreturned everyone's agents, and user tokens were only base64-decoded — never signature-verified.This PR introduces access control, opt-in via
AGENT_AUTH_REQUIRED(defaultfalse) so existing deployments are unchanged until it is switched on.Backend (
agent-service):auth-api.ts: real HS256 signature verification againstAUTH_JWT_SECRET, matching the backendJwtAuth(requiressub+exp, 30s clock skew, constant-time compare). AddsverifyToken,getUidFromToken,isAuthRequired.server.ts: each agent is bound to its owner's uid at creation; a singleonBeforeHandleguard authorizes every/:idroute, the WebSocket handshake is authorized inopen, andGET /agentsis scoped to the caller. Agent ids are now random UUIDs. When enforcement is on, creation requires a valid token. Missing/invalid token → 401; wrong owner → 403.Frontend:
agent.service.tsnow sends the user token on every agent request (Authorization: Bearer …) and on the WebSocket via theaccess-tokenquery parameter (browsers can't set WS headers), mirroring the existingworkflow-websocket.service.tsidiom. These are inert while enforcement is off.Before: any caller + agent id -> full read/control of any agentAfter: AGENT_AUTH_REQUIRED -> verified token, owner-scoped access, UUID idsAny related issues, documentation, discussions?
Closes #5268
How was this PR tested?
Agent service (unit tests, type, format):
The new tests cover signature verification (valid / wrong-secret / expired / missing-sub / non-HS256), permissive vs enforced
validateToken, UUID id format + uniqueness, owner-can-read, non-owner→403, missing-token→401, guarded control route, and scoped listing.Frontend:
eslintandprettier --checkpass on the changed file. The change is small and mirrors an existing idiom; the full Angular build was not run locally, and the change is inert unlessAGENT_AUTH_REQUIREDis enabled.Was this PR authored or co-authored using generative AI tooling?
Generated-by: Claude Opus 4.8 (1M context)