Skip to content

auth: a non-admin role should be able to use transport::http (and streamkit::http_*) nodes #632

Description

@streamer45

Context

While building examples/web-capture (#631) — and as already true for examples/speech-gateway — both gateways are forced to use an admin-role token, even though they're trusted intermediaries that build a small set of fixed pipelines.

The reason: the built-in user role's allowed_nodes (see apps/skit/src/permissions.rs, Permissions::user) includes transport::moq::* but not transport::http::*, and excludes streamkit::* entirely. So a pipeline that uses transport::http::mse (live cast) or streamkit::http_input/streamkit::http_output (oneshot) is rejected for any non-admin role.

Problem

There's no least-privilege path for an HTTP-transport gateway. Using admin grants far more than needed (load/delete plugins, access all sessions, all nodes/plugins/assets), which is the wrong default for a token that's written to an env file on a public-facing box.

Proposal (one or both)

  • Broaden the default user role to allow the sink/IO HTTP nodes that aren't SSRF vectors — transport::http::mse, streamkit::http_input, streamkit::http_output — while keeping any HTTP fetcher node denied (the existing reason transport::http::* was excluded). The distinction is fetch-from-arbitrary-URL (risky) vs. serve/receive over the request the client already made (safe).
  • And/or make a least-privilege custom role for gateways easy to express + document (e.g. a gateway example role in the default config / docs).

Acceptance

A gateway like web-capture can run with a non-admin token that may create/destroy sessions and use plugin::native::servo + transport::http::mse (and the oneshot streamkit::http_* nodes) — without admin.

Refs: apps/skit/src/permissions.rs (user() allowed_nodes), examples/web-capture, examples/speech-gateway, #631.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions