Skip to content

fix(server): make the proxy authoritative for login scopes#292

Open
samcm wants to merge 1 commit into
masterfrom
fix/login-scope-discovery
Open

fix(server): make the proxy authoritative for login scopes#292
samcm wants to merge 1 commit into
masterfrom
fix/login-scope-discovery

Conversation

@samcm

@samcm samcm commented Jul 8, 2026

Copy link
Copy Markdown
Member

The server minted login tokens from proxy.auth.scopes in local config. A config written by panda init before a proxy feature existed never carries that feature's scope — most visibly the workflows scope the workflow engine needs — so every panda auth login produced a token missing the audience and panda workflow * failed with HTTP 401, with no fix but hand-editing the config, restarting the server, and re-logging in.

The proxy already advertises the complete required scope set at /auth/metadata (the same endpoint panda init reads). The credential controller now resolves it at login and requests exactly those scopes — never the configured ones — so the local scopes field can no longer mint a token silently missing a scope. If the proxy can't be reached, the login fails loudly rather than falling back to config and re-introducing the stale-config bug. Only the scopes come from discovery; issuer, client, and resource still come from config so the credential file keys identically.

https://claude.ai/code/session_01UsQeBmip7iH3J361YtnoDo

@qu0b-reviewer

qu0b-reviewer Bot commented Jul 8, 2026

Copy link
Copy Markdown

🤖 qu0b-reviewer

http.DefaultClient is used elsewhere in the repo (networks.go, upgrade.go, networkspec), so it is consistent with repo patterns. No divergence.

I've thoroughly traced the change. It is well-grounded and correct:

  • Scope discovery targets the configured proxy's /auth/metadata.
  • target is a value copy (no shared c.target mutation).
  • Discovery failures fail loudly (intended, per PR rationale).
  • Empty scopes handled correctly (client defaults).
  • Resource lifecycle (cancel, resp.Body.Close) correct.
  • Uses http.DefaultClient consistent with repo.
  • All call sites updated.

I found no real 🔴/🟡 bug and no genuinely useful 🟢 nit. The change is sound.


Reviewed @ cfaa4d00
"A camel is a horse designed by committee."

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🐼 Smoke eval — cfaa4d0: ✅ 8/8 pass

📊 Interactive report — tokens p50 15,912 · tokens/solve 19,054.

Reference points: v0.37.0 100% · master@cfe9bbd 100% · fix/login-scope-discovery@db6fd7d 100%.

question result tokens tools
forky_node_coverage 14,294 3
tracoor_node_coverage 15,712 6
mainnet_block_arrival_p50 15,373 6
list_datasources 13,452 3
block_count_24h 16,113 8
missed_slots_24h 19,093 12
chartkit_default_arrival_distribution 40,536 18
storage_upload_session_scoped 17,863 10
🔭 Langfuse traces (8 runs; ⚠️ = failed)

The report walks this branch's commits against the master baseline and the most recent release. A self-contained copy is in the run's eval-smoke-* artifact.

The server minted login tokens using proxy.auth.scopes from local config. A
config generated by `panda init` before a proxy feature existed (e.g. the
workflow engine, which needs the `workflows` scope to cross-grant the engine
audience) never carries that scope, so every `panda auth login` produced a token
missing the audience and `panda workflow *` failed with HTTP 401 — with no way
out but hand-editing the config and re-logging in.

The proxy already advertises the complete required scope set at /auth/metadata
(the same endpoint `panda init` reads). Resolve it at login and request exactly
those scopes, never the configured ones, so the local scopes field can no longer
mint a token that is silently missing a scope. If the proxy cannot be reached,
fail the login loudly rather than fall back and re-introduce the stale-config
bug. Only the scopes come from discovery; issuer/client/resource stay as
configured so the credential file keys identically.

Claude-Session: https://claude.ai/code/session_01UsQeBmip7iH3J361YtnoDo
@samcm samcm force-pushed the fix/login-scope-discovery branch from db6fd7d to cfaa4d0 Compare July 8, 2026 08:20
@samcm samcm changed the title fix(server): discover proxy login scopes at login so stale configs self-heal fix(server): make the proxy authoritative for login scopes Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant