Skip to content

fix: skip global API key check for connector routes#255

Merged
AbirAbbas merged 1 commit intomainfrom
fix/connector-route-auth-bypass
Mar 10, 2026
Merged

fix: skip global API key check for connector routes#255
AbirAbbas merged 1 commit intomainfrom
fix/connector-route-auth-bypass

Conversation

@AbirAbbas
Copy link
Contributor

@AbirAbbas AbirAbbas commented Mar 10, 2026

Summary

  • Connector routes (/api/v1/connector/*) now bypass the global APIKeyAuth middleware — they have their own ConnectorTokenAuth which enforces X-Connector-Token with constant-time comparison
  • Previously, connectors had to send both the global API key and the connector token, which is architecturally wrong — the connector should never need the CP's global API key
  • Adds comprehensive functional tests for all three connector auth layers: ConnectorTokenAuth, ConnectorCapabilityCheck, and a full integration test proving the middleware chain is secure

Security verification

The integration tests explicitly prove:

  • Connector routes without a valid connector token → 403 Forbidden
  • Connector routes with only a global API key (no connector token) → 403 Forbidden
  • Connector routes with valid connector token → 200 OK
  • Regular API routes still require the global API key → 401 Unauthorized
  • Capability checks enforce enabled/disabled/read-only per domain

Test plan

  • All existing middleware tests pass
  • New connector auth tests pass (21 test cases)
  • Integration test covers full middleware chain (APIKeyAuth skip → ConnectorTokenAuth → ConnectorCapabilityCheck)

🤖 Generated with Claude Code

@AbirAbbas @claude
fix: skip global API key check for connector routes
59b0435 
Connector routes have their own dedicated ConnectorTokenAuth middleware
that enforces X-Connector-Token with constant-time comparison. The global
APIKeyAuth middleware was incorrectly requiring the API key on these routes
too, forcing connectors to know and send the CP's global API key — a
credential they should never need.

This adds a prefix skip for /api/v1/connector/ in APIKeyAuth, matching
the existing pattern for /health, /ui, and /api/v1/did/ routes.

Also adds comprehensive functional tests for the full connector auth chain:
- ConnectorTokenAuth (valid/invalid/missing token, audit metadata injection)
- ConnectorCapabilityCheck (enabled/disabled/read-only/missing capabilities)
- Integration tests proving connector routes reject requests without a valid
  connector token, even though they bypass the global API key check

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@AbirAbbas AbirAbbas requested a review from a team as a code owner March 10, 2026 22:15
@AbirAbbas AbirAbbas merged commit 6d969a1 into main Mar 10, 2026
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AbirAbbas