feat(picloud): opportunistic principal middleware on the data plane

The data-plane (POST /execute/{id} + user-route fallback) is unauthenticated by default — public scripts get hit by anonymous HTTP traffic. But some calls are authed (dashboard test-runs, API-key invocations) and v1.1.x services will want to see the caller via `cx.principal` for audit / authz once those features land. - New manager-core::attach_principal_if_present middleware. Always inserts Extension<Option<Principal>>: Some on resolved bearer/cookie, None on absent or malformed token. Fail-open on DB blip so a transient infra failure can't 500 anonymous traffic. - Wired in picloud build_app, scoped to the data-plane and user-routes routers only. The admin path keeps using require_authenticated; no double-resolve on the same token. - orchestrator-core handlers (execute_by_id, user_route_handler) now extract Extension<Option<Principal>> and pass it to build_exec_request. Replaces the temporary `None` placeholders from the previous commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-30 18:53:27 +02:00
parent dea776b2a3
commit 902dd78027
4 changed files with 70 additions and 18 deletions
--- a/crates/manager-core/src/auth_middleware.rs
+++ b/crates/manager-core/src/auth_middleware.rs
@@ -100,6 +100,35 @@ pub async fn require_admin(state: State<AuthState>, req: Request<Body>, next: Ne
    require_authenticated(state, req, next).await
 }

+/// Opportunistic data-plane variant: always inserts an
+/// `Extension<Option<Principal>>` and forwards the request. Used on
+/// `/execute/{id}` and the user-route fallback, where most invocations
+/// are anonymous public HTTP and the few authed ones (dashboard
+/// test-runs, API keys) should still let scripts see the caller via
+/// `cx.principal` once services consume it.
+///
+/// Failure modes — all degrade to `None` rather than rejecting:
+///   * No bearer / cookie → `None`.
+///   * Malformed or unknown token → `None`.
+///   * DB blip while resolving → `None` (fail-open; the data plane
+///     should not 500 on transient infra failures for an *optional*
+///     identity check).
+///
+/// Admin-side routes that REQUIRE an identity keep using
+/// `require_authenticated`.
+pub async fn attach_principal_if_present(
+    State(state): State<AuthState>,
+    mut req: Request<Body>,
+    next: Next,
+) -> Response {
+    let principal: Option<Principal> = match extract_token(&req) {
+        Some(token) => resolve_principal(&state, &token).await.unwrap_or(None),
+        None => None,
+    };
+    req.extensions_mut().insert(principal);
+    next.run(req).await
+}
+
 /// Decide whether the token is an API key (pic_ prefix) or a session
 /// token, then resolve the corresponding `Principal`. `Ok(None)`
 /// means the token was structurally valid but didn't match any active
--- a/crates/manager-core/src/lib.rs
+++ b/crates/manager-core/src/lib.rs
@@ -59,8 +59,8 @@ pub use auth_bootstrap::{
 };
 #[allow(deprecated)]
 pub use auth_middleware::{
-    require_admin, require_authenticated, AuthState, AuthedAdmin, API_KEY_PREFIX,
-    API_KEY_PREFIX_LEN, SESSION_COOKIE,
+    attach_principal_if_present, require_admin, require_authenticated, AuthState, AuthedAdmin,
+    API_KEY_PREFIX, API_KEY_PREFIX_LEN, SESSION_COOKIE,
 };
 pub use authz::{can, require, AuthzDenied, AuthzError, AuthzRepo, Capability, Decision};
 pub use log_sink::PostgresExecutionLogSink;