Skip to content

bridge: support broker agent-token auth for send path#129

Merged
benvinegar merged 2 commits into
mainfrom
bentlegen/broker-agent-token-client-support
Feb 22, 2026
Merged

bridge: support broker agent-token auth for send path#129
benvinegar merged 2 commits into
mainfrom
bentlegen/broker-agent-token-client-support

Conversation

@benvinegar
Copy link
Copy Markdown
Member

@benvinegar benvinegar commented Feb 22, 2026

Summary

  • add broker-agent-token client support for broker mode outbound traffic
  • update broker registration flow to persist broker token fields from /api/register:
    • SLACK_BROKER_ACCESS_TOKEN
    • SLACK_BROKER_ACCESS_TOKEN_EXPIRES_AT
    • SLACK_BROKER_ACCESS_TOKEN_SCOPES
  • update slack-bridge/broker-bridge.mjs to attach Authorization: Bearer <token> automatically on broker API requests when token is configured (covers /api/send enforcement)
  • add integration coverage ensuring bridge includes bearer auth on broker send
  • update env/docs plumbing for new broker token variables (.env.schema, CONFIGURATION.md, README.md, bin/config.sh)

Why

modem-dev/baudbot-services#47 adds optional broker token enforcement on /api/send behind REQUIRE_BROKER_AGENT_TOKEN=true. Without this client update, broker-mode outbound sends fail under enforcement.

Testing

  • node --check slack-bridge/broker-bridge.mjs
  • node --check bin/broker-register.mjs
  • node --check test/broker-bridge.integration.test.mjs
  • node --test bin/broker-register.test.mjs
  • node --test slack-bridge/crypto.test.mjs
  • bash -n bin/config.sh

sentry[bot]
sentry Bot reviewed Feb 22, 2026
View reviewed changes
Comment thread slack-bridge/broker-bridge.mjs
@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented Feb 22, 2026

Greptile Summary

Adds broker agent-token authentication support for outbound broker API requests. The registration flow now extracts and persists broker access token fields (token value, expiration timestamp, and scopes) from the /api/register response. The broker bridge automatically includes bearer authorization headers on all broker API calls (/api/send, /api/inbox/pull, /api/inbox/ack) when the token is configured, enabling compatibility with brokers that enforce agent token requirements.

Key Changes:

  • Token extracted from registration response with proper array filtering for scopes
  • Bearer auth automatically added via centralized brokerFetch function
  • Token value properly marked as sensitive (defaults to sensitive without explicit annotation)
  • Secure logging only indicates whether token is configured, not the token value
  • Comprehensive test coverage including integration test verifying bearer token transmission
  • Documentation updated across configuration schema and user-facing docs

Confidence Score: 5/5

  • This PR is safe to merge with no identified issues
  • Clean implementation with proper security practices: token marked as sensitive, no token leakage in logs, comprehensive test coverage including integration tests, consistent use of centralized brokerFetch for all API calls, proper optional array handling with type filtering, and complete documentation updates
  • No files require special attention

Important Files Changed

Filename Overview
.env.schema Added three new environment variables for broker access token, expiration, and scopes with correct sensitivity marking
slack-bridge/broker-bridge.mjs Added bearer token auth to brokerFetch function, automatically includes Authorization header on all broker API calls
bin/broker-register.mjs Extracts and persists broker access token fields from registration response with proper array filtering
test/broker-bridge.integration.test.mjs Added integration test verifying bearer token is included in broker API requests when configured

Sequence Diagram

sequenceDiagram
    participant Admin
    participant BrokerRegister as broker-register.mjs
    participant Broker as Broker Server
    participant EnvFile as .env
    participant Bridge as broker-bridge.mjs
    participant BrokerAPI as Broker API

    Admin->>BrokerRegister: sudo baudbot broker register
    BrokerRegister->>Broker: POST /api/register
    Note over BrokerRegister,Broker: Sends registration payload
    Broker-->>BrokerRegister: broker_access_token<br/>broker_access_token_expires_at<br/>broker_access_token_scopes
    BrokerRegister->>EnvFile: Write SLACK_BROKER_ACCESS_TOKEN<br/>SLACK_BROKER_ACCESS_TOKEN_EXPIRES_AT<br/>SLACK_BROKER_ACCESS_TOKEN_SCOPES
    
    Note over Bridge: Bridge starts with env vars loaded
    Bridge->>Bridge: Read SLACK_BROKER_ACCESS_TOKEN
    
    loop Broker API Calls
        Bridge->>BrokerAPI: POST /api/inbox/pull<br/>Authorization: Bearer {token}
        BrokerAPI-->>Bridge: Messages
        Bridge->>BrokerAPI: POST /api/send<br/>Authorization: Bearer {token}
        BrokerAPI-->>Bridge: Success
        Bridge->>BrokerAPI: POST /api/inbox/ack<br/>Authorization: Bearer {token}
        BrokerAPI-->>Bridge: Acked
    end
Loading

Last reviewed commit: d3aad0d

@benvinegar benvinegar merged commit d8bbcee into main Feb 22, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@benvinegar