Skip to content

fix(auth): warn at startup when HFS_AUTH_AUDIENCE is unset#266

Open
smunini wants to merge 1 commit into
mainfrom
fix/warn-missing-audience
Open

fix(auth): warn at startup when HFS_AUTH_AUDIENCE is unset#266
smunini wants to merge 1 commit into
mainfrom
fix/warn-missing-audience

Conversation

@smunini

@smunini smunini commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Follow-up from the security review of #229.

Auth requires an issuer at boot (main.rs, "Require issuer validation to prevent cross-service token reuse"), but audience stays optional. With HFS_AUTH_AUDIENCE unset, validate_aud is false and every token from the configured issuer is accepted — including tokens minted for a different client of the same issuer. That is the same cross-service reuse the issuer check guards against, one level finer.

Why a warning and not a hard failure

Audience must stay optional: an open demo deployment relies on accepting any token from its issuer, and requiring the variable at boot would break that. Today the absence is invisible — it appears as an unremarkable audience=None on the info-level "Authentication ENABLED" line — so an operator who simply forgot the variable in production has nothing to notice.

This logs it at WARN instead. Demo mode keeps working; the production misconfiguration gets loud.

Verified by running the binary

Config Behavior
HFS_AUTH_ENABLED=false (open demo) Boots normally, Authentication is DISABLED, no new warning
Auth on, no HFS_AUTH_AUDIENCE Still works, emits the WARN
Auth on, HFS_AUTH_AUDIENCE=hfs-api Silent, unchanged

Auth requires an issuer at boot to prevent cross-service token reuse, but
audience stays optional, and with it unset every token from that issuer is
accepted -- including tokens minted for a different client of the same issuer.
That is the same reuse the issuer check guards against, one level finer.

Audience stays optional so an open demo deployment keeps working; the absence
is now logged at WARN instead of appearing as an unremarkable `audience=None`
on the info-level "Authentication ENABLED" line, so an operator who forgot the
variable in production has something they will actually notice.
@codecov

codecov Bot commented Jul 14, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant