argoyle
81ac3e6ea5
Signed user-header middleware (UserMiddleware/FromContext/User, ADR-0005) plus the deployed-secrets startup guard (MissingDeployedSecrets, ADR-0005/0006). Replaces the byte-identical auth package + secrets_guard.go copied into every backend service.
27 lines
937 B
Go
27 lines
937 B
Go
package auth
|
|
|
|
import "sort"
|
|
|
|
// MissingDeployedSecrets returns the names of secrets that must be non-empty in
|
|
// deployed environments (staging/production) but are currently unset. It returns
|
|
// nil for non-deployed environments (development, acctest) and when every
|
|
// required secret is present, so callers can treat a non-empty result as fatal.
|
|
//
|
|
// This closes the fail-open gap where an empty USER_SIGNING_KEY turns the
|
|
// user-header signature check into a no-op (forgeable identity) and an empty
|
|
// INTERNAL_API_KEY leaves the authz cache-hydration endpoint unauthenticated.
|
|
// See ADR-0005 and ADR-0006.
|
|
func MissingDeployedSecrets(environment string, secrets map[string]string) []string {
|
|
if environment != "staging" && environment != "production" {
|
|
return nil
|
|
}
|
|
var missing []string
|
|
for name, value := range secrets {
|
|
if value == "" {
|
|
missing = append(missing, name)
|
|
}
|
|
}
|
|
sort.Strings(missing)
|
|
return missing
|
|
}
|