fix(server): make the proxy authoritative for login scopes#292
Open
samcm wants to merge 1 commit into
Open
Conversation
🤖 qu0b-reviewer
I've thoroughly traced the change. It is well-grounded and correct:
I found no real 🔴/🟡 bug and no genuinely useful 🟢 nit. The change is sound. Reviewed @ |
Contributor
🐼 Smoke eval —
|
| question | result | tokens | tools |
|---|---|---|---|
forky_node_coverage |
✅ | 14,294 | 3 |
tracoor_node_coverage |
✅ | 15,712 | 6 |
mainnet_block_arrival_p50 |
✅ | 15,373 | 6 |
list_datasources |
✅ | 13,452 | 3 |
block_count_24h |
✅ | 16,113 | 8 |
missed_slots_24h |
✅ | 19,093 | 12 |
chartkit_default_arrival_distribution |
✅ | 40,536 | 18 |
storage_upload_session_scoped |
✅ | 17,863 | 10 |
🔭 Langfuse traces (8 runs; ⚠️ = failed)
The report walks this branch's commits against the master baseline and the most recent release. A self-contained copy is in the run's eval-smoke-* artifact.
The server minted login tokens using proxy.auth.scopes from local config. A config generated by `panda init` before a proxy feature existed (e.g. the workflow engine, which needs the `workflows` scope to cross-grant the engine audience) never carries that scope, so every `panda auth login` produced a token missing the audience and `panda workflow *` failed with HTTP 401 — with no way out but hand-editing the config and re-logging in. The proxy already advertises the complete required scope set at /auth/metadata (the same endpoint `panda init` reads). Resolve it at login and request exactly those scopes, never the configured ones, so the local scopes field can no longer mint a token that is silently missing a scope. If the proxy cannot be reached, fail the login loudly rather than fall back and re-introduce the stale-config bug. Only the scopes come from discovery; issuer/client/resource stay as configured so the credential file keys identically. Claude-Session: https://claude.ai/code/session_01UsQeBmip7iH3J361YtnoDo
db6fd7d to
cfaa4d0
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The server minted login tokens from
proxy.auth.scopesin local config. A config written bypanda initbefore a proxy feature existed never carries that feature's scope — most visibly theworkflowsscope the workflow engine needs — so everypanda auth loginproduced a token missing the audience andpanda workflow *failed with HTTP 401, with no fix but hand-editing the config, restarting the server, and re-logging in.The proxy already advertises the complete required scope set at
/auth/metadata(the same endpointpanda initreads). The credential controller now resolves it at login and requests exactly those scopes — never the configured ones — so the localscopesfield can no longer mint a token silently missing a scope. If the proxy can't be reached, the login fails loudly rather than falling back to config and re-introducing the stale-config bug. Only the scopes come from discovery; issuer, client, and resource still come from config so the credential file keys identically.https://claude.ai/code/session_01UsQeBmip7iH3J361YtnoDo