feat(auth): Make AuthContext support an optional ObjectKey bound#428
Draft
feat(auth): Make AuthContext support an optional ObjectKey bound#428
Conversation
lcian
changed the title
lcian
changed the title
lcian
changed the title
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
scope_matches_context only checked that request scopes were a subset of auth scopes. For object-bound auth this allowed access to a different object at a different storage path that shared the same key but had fewer scopes. Introduce a ScopeMatch mode so object-bound auth requires an exact scope set match.
lcian
changed the title
lcian
changed the title
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 35ce284. Configure here.
Split AuthContext.scopes into scopes_map (BTreeMap for subset lookups) and scopes_vec (Vec for positional matching). Strict mode now compares scopes element-by-element so that object-bound auth cannot authorize access to an object at a different storage path with reordered scopes.
Strict mode now rejects StringOrWildcard::Wildcard entries, ensuring object-bound auth requires literal value matches at every position.
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
lcian
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Introduces an
Option<ObjectKey>inAuthContext.When present, it indicates that the given
AuthContextis tied to a specific key.This is needed for pre-signed URLs, given that in most cases we would want such an URL to grant rights to act only on a specific object, as opposed to the whole usacase/scope combination.
Splits the existing
AuthContext::assert_authorizedcheck intoassert_context_authorizedandassert_object_authorized.Callers use the right flavor depending on whether they act on a specific key.
The latter performs stricter matching to ensure we only authorize a predefined usecase+scope+key instead of possibly broadening permissions.