Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions .changeset/authz-2567-handlesecurity-seam.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
'@objectstack/runtime': patch
---

refactor(security): migrate the handleSecurity admin gate to shouldDenyAnonymous (#2567 follow-up)

The dispatcher's `/security/suggested-bindings` admin surface was the last HTTP
seam still hand-rolling the `!userId && !isSystem → 401` check. It now delegates
to the shared `shouldDenyAnonymous` decision like every other seam — with
`requireAuth: true` hardcoded, preserving its UNCONDITIONAL semantics (an admin
surface denies anonymous callers even on a `requireAuth: false` demo deployment).
The 401 body adopts the shared shape (`code: 'unauthenticated'`).

Deliberately NOT migrated: `handleNotification`'s `!userId` check — that is a
"needs a user identity" predicate (the inbox is keyed by userId; a system
context has no inbox), not an anonymous-posture decision; migrating it would
change semantics.
5 changes: 5 additions & 0 deletions packages/runtime/src/http-dispatcher.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -558,10 +558,15 @@ describe('HttpDispatcher', () => {

it('401s an anonymous request without touching the service', async () => {
const service = makeService();
// NOTE: no options — requireAuth defaults false, yet the admin
// surface still denies anonymous (the gate is UNCONDITIONAL,
// hardcoded requireAuth:true into shouldDenyAnonymous — #2567).
const d = new HttpDispatcher(secKernel(service));
const result = await d.handleSecurity('/suggested-bindings', 'GET', undefined, {}, ctx());
expect(result.handled).toBe(true);
expect(result.response?.status).toBe(401);
// Shared anonymous-deny body shape (locks the seam migration).
expect(result.response?.body?.error?.details?.code).toBe('unauthenticated');
expect(service.listAudienceBindingSuggestions).not.toHaveBeenCalled();
});

Expand Down
12 changes: 10 additions & 2 deletions packages/runtime/src/http-dispatcher.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2337,8 +2337,16 @@ export class HttpDispatcher {
}

const ec = context.executionContext;
if (!ec?.userId && !ec?.isSystem) {
return { handled: true, response: this.error('Authentication required', 401) };
// Admin surface — anonymous is denied UNCONDITIONALLY (`requireAuth:
// true` hardcoded), independent of the deployment posture: even a
// `requireAuth: false` demo must not let anonymous callers list or
// confirm audience bindings. Shares the decision + body with every
// other HTTP seam (#2567).
if (shouldDenyAnonymous({ requireAuth: true, userId: ec?.userId, isSystem: ec?.isSystem })) {
return {
handled: true,
response: this.error(ANONYMOUS_DENY_MESSAGE, ANONYMOUS_DENY_STATUS, { code: ANONYMOUS_DENY_CODE }),
};
}

const m = method.toUpperCase();
Expand Down