Skip to content

fix(auth): reject ambiguous primary credentials#408

Merged
jeremi merged 1 commit into
release/1.0from
codex/1.0-200-credential-ambiguity
Jul 17, 2026
Merged

fix(auth): reject ambiguous primary credentials#408
jeremi merged 1 commit into
release/1.0from
codex/1.0-200-credential-ambiguity

Conversation

@jeremi

@jeremi jeremi commented Jul 17, 2026

Copy link
Copy Markdown
Member

Summary

  • reject simultaneous Authorization and x-api-key channels from raw header presence before parsing or validating either value
  • align Relay API-key, Relay OIDC, exact consultation routes, and Notary on stable 400 auth.multiple_credentials
  • emit one redacted denial audit and stop before handler, consultation, or source dispatch
  • update Relay's closed consultation taxonomy and OpenAPI source/generated artifact

Addresses #200 and closes the candidate-neutral NP-24 implementation gap recorded by PR #403.

Security invariant

When more than one primary credential channel is present, the products must reject on presence before interpreting either credential. They must not select a preferred channel, reveal which credential was valid, disclose principal/scope/credential material, or reach downstream business/source dispatch.

Supplemental OIDC ID tokens are not primary credential channels and retain their existing semantics.

Behavior covered

  • valid Authorization plus valid API key
  • malformed or non-UTF-8 Authorization plus valid API key
  • valid bearer plus malformed or non-UTF-8 API key
  • production-valid OIDC consultation authentication on both exact routes
  • x-api-key-only under OIDC remains MissingCredential
  • ordinary single-channel API-key and bearer authentication remain unchanged
  • one generic response and exactly one redacted audit per denial

Validation

  • Relay focused auth flow 19, OIDC provider 43, consultation ambiguity/audit, taxonomy, and OpenAPI tests
  • Relay all-features: 742 library tests passed, 6 ignored, plus integrations and doctests
  • Notary raw-presence and HTTP neutrality tests
  • Notary all-features: CLI 71; server 437 passed, 6 ignored; standalone HTTP 111; all integrations
  • strict Clippy for Relay and Notary
  • both product preflights, OpenAPI checks, and security checks
  • Relay runtime configuration-schema drift check
  • locked workspace all-target/all-feature check
  • formatting and diff checks
  • independent security review, P1 correction, and exact current-base re-review: no findings
  • byte-identical rebase after feat(registryctl): add editor-ready project initialization #404, with stable patch ID, no file overlap, and focused combined-head tests passing
  • one DCO-signed commit on exact parent abedb0098773486dbaaa80a8261c187c65676e6c; Cargo.lock unchanged

Optional OpenAPI breaking-diff checks were skipped locally because no base ref was supplied; remote CI remains authoritative. Hadolint was unavailable locally.

Merge only after the full remote matrix is green on exact head 7b578408e914e912a9c91b3eba74ef4ca9961726.

Signed-off-by: Jeremi Joslin <jeremi@joslin.fr>
@jeremi
jeremi force-pushed the codex/1.0-200-credential-ambiguity branch from 0cf0423 to 7b57840 Compare July 17, 2026 13:15
@jeremi
jeremi marked this pull request as ready for review July 17, 2026 13:41
@jeremi
jeremi merged commit da3c7c7 into release/1.0 Jul 17, 2026
19 checks passed
@jeremi
jeremi deleted the codex/1.0-200-credential-ambiguity branch July 17, 2026 13:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant