fix(auth): scope org tools to the caller and document the auth flow#182
Open
annextuckner wants to merge 4 commits into
Open
fix(auth): scope org tools to the caller and document the auth flow#182annextuckner wants to merge 4 commits into
annextuckner wants to merge 4 commits into
Conversation
Add README reference entries for the organizations, alerts, threat_feed, package_files, package_file_contents, and package_file_grep tools, plus an authentication section and a worked organizations -> alerts example. Mirror the tool inventory in the architecture doc.
…mode The organizations, alerts, threat_feed, and package_files tools resolved their Socket token through resolveAuthToken, which falls back to the boot-time static key. In HTTP mode that key is the deploy operator's, so a shared/hosted server answered every caller's org lookup with the operator's private organizations, alerts, and threat feed. Split the resolver: resolveScopedAuthToken (per-tenant tools) returns the per-request token, and only falls back to the static key when it is the local user's own (stdio mode); in HTTP mode it returns undefined so the tool emits the auth-required error. setStaticApiKey now records whether the key is shared (HTTP) or user-owned (stdio). Non-OAuth HTTP mode reads the caller's Authorization: Bearer token into req.auth so per-tenant tools act on the caller's behalf. depscore keeps the public static fallback since package scores are not tenant-scoped.
| export SOCKET_API_TOKEN="your-socket-api-token" | ||
| ``` | ||
|
|
||
| When no token is available, these tools return: `Authentication is required. Configure SOCKET_API_TOKEN for stdio mode or connect through OAuth-enabled HTTP mode.` |
Collaborator
There was a problem hiding this comment.
Consider not quoting the verbatim error string here. 269acc0 reworded AUTH_REQUIRED_MSG in lib/server.ts but this line still shows the old text, so the doc and the code have already drifted. The string is a human-readable diagnostic, not a contract clients match on, so pinning it in prose just creates a two-place-update trap — and the paragraph above already explains the per-transport auth model, making the quote redundant. Describing the behavior keeps lib/server.ts as the single source of truth.
Suggested change
| When no token is available, these tools return: `Authentication is required. Configure SOCKET_API_TOKEN for stdio mode or connect through OAuth-enabled HTTP mode.` | |
| When no token is available, these tools return an authentication-required error explaining how to supply one for each transport. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this changes
Tightens authentication in HTTP mode and documents the auth flow for the org-scoped tools.
52a87e8). In HTTP mode, organization-aware tools now resolve the caller's own token from theAuthorization: Bearerheader instead of falling back to the operator's boot-time deploy key. Stdio mode is unchanged. Covered by new tests intest/http-server.test.tsandtest/server.test.ts.SOCKET_API_TOKEN/SOCKET_API_KEYauth flow (9b78353). Adds the tool reference and the per-mode authentication guidance toREADME.mdanddocs/claude.md/repo/architecture.md.Auth model after this change
SOCKET_API_TOKENauthenticates every tool.Testing
pnpm test— new HTTP-server and server cases assert the caller-scoped behavior.