fix(serve): allow disabling client auth with empty public keys#656
Open
overcat wants to merge 1 commit into
Open
fix(serve): allow disabling client auth with empty public keys#656overcat wants to merge 1 commit into
overcat wants to merge 1 commit into
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR makes the serve command honor the documented “no client auth” mode by allowing request authentication to be disabled when CLIENT_AUTH_PUBLIC_KEYS is unset/empty, avoiding a startup panic. It does so by centralizing verifier construction and skipping the auth middleware when no keys are configured.
Changes:
- Extracts request-auth verifier construction into
buildRequestAuthVerifier()and returnsnilwhen no public keys are configured. - Updates the HTTP router wiring to conditionally apply the authentication middleware only when a verifier is present.
- Adds unit tests for verifier construction behavior (disabled, enabled, invalid key) and documents the behavior in the README.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| README.md | Documents that empty/unset CLIENT_AUTH_PUBLIC_KEYS disables request authentication. |
| internal/serve/serve.go | Builds request auth verifier conditionally and skips auth middleware when unconfigured, preventing startup panic. |
| internal/serve/serve_test.go | Adds tests covering verifier construction for empty keys, valid keys, and invalid keys. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
When
CLIENT_AUTH_PUBLIC_KEYSis not set or empty,servenow starts with request authentication disabled (with a startup warning) instead of panicking. The verifier construction is extracted intobuildRequestAuthVerifier(), which returns nil when no keys are configured sohandler()skips the auth middleware.Why
The flag help, the config parser, and the router all advertise that an empty key list disables authentication, but
initHandlerDepsunconditionally instantiated the JWT token parser, which rejects an empty key list, so the server crashed at startup and the documented no-auth mode was unreachable:Known limitations
N/A
Issue that this PR addresses
Fixes #655
Checklist
PR Structure
allif the changes are broad or impact many packages.Thoroughness
Release