WB-184: auth port#7
Merged
Merged
Conversation
kacpercierzniewski
requested review from
librowski,
lukasz-jazwa,
piotrblaszczyk and
szymon-t-sc
as code owners
kacpercierzniewski
force-pushed
the
WB-184-auth-port
branch
from
f070cdf to
3431477
Compare
Introduces an AuthPort interface so consumers can plug their own auth provider into the reference backend without forking HTTP routes. Ships with AllowAllAuthPort as the permissive default (loud startup warning) and a docs guide showing a JWT-based implementation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> feat(backend): add AuthPort seam for backend
kacpercierzniewski
force-pushed
the
WB-184-auth-port
branch
from
3431477 to
0151346
Compare
The previous refactor dropped logger.info('execute requested') and
logger.warn('snapshot invalid') from the execute handler. Two effects:
ESLint flagged the `logger` import as unused, and operationally there
was no way to correlate a client execute request with the backend
executionId, or to surface invalid published snapshots in dashboards.
Restored at the same call sites as before.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…efault, route tests - Replace `Authorize` (Response | null) with `assertAuthorized` that throws `AuthDeniedError`; `app.onError` in server.ts maps to 401/403. Removes the `if (denied) return denied` footgun: a handler that calls the assertion cannot accidentally let the next line run. - Add optional `attributes` slot to per-row AuthResource kinds so future ABAC ports can receive loaded rows without a breaking change. - Flip AllowAllAuthPort polarity: require explicit `WB_AUTH_PORT=allow-all` to construct, instead of "wide everywhere except NODE_ENV=production". Default-secure now means a forgotten env var fails loudly. .env(.example) ship the variable for local dev. - Add routes/workflows.test.ts and routes/executions.test.ts pinning that every handler calls assertAuthorized with the correct action+resource, and that deny short-circuits before any DB or engine work. - ADR refresh: SSE / EventSource caveats (cookie or short-lived query token), CORS gotchas for real ports, provider-specific JWT roles claim note, throw-based decision rationale. - README: "No real authentication" first; the AllowAllAuthPort mention follows as the mechanism, not the headline. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
piotrblaszczyk
approved these changes
May 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.