fix: allow vault info under path scope and clarify API errors
Build and Push Docker Container / build-and-push (push) Successful in 4m29s
Build and Push Docker Container / build-and-push (push) Successful in 4m29s
- Allow vault and vaults commands when a token has path restrictions - Treat vault/vaults as pathless metadata commands in policy checks - Add allowed commands, vaults and paths to 403 permission errors - Surface real JWT failure reason in 401 instead of generic Unauthorized - Report missing, malformed and empty Bearer tokens distinctly - Catch httpRequest failures in the n8n node to avoid circular JSON - Map API errors to clean NodeApiError with status code and detail - Support continueOnFail with per-item error output in the n8n node - Push a versioned image tag from pyproject in the CI workflow - Bump server to 1.0.2 and n8n node package to 0.2.1 - Add tests for vault info access and richer auth error messages
This commit is contained in:
+9
-4
@@ -73,12 +73,17 @@ def require_auth(request:Request) -> AuthContext|JSONResponse:
|
||||
return error(500, "OBSIDIAN_JWT_SECRET is required")
|
||||
|
||||
header = request.headers.get("authorization", "")
|
||||
if not header:
|
||||
return error(401, "missing Authorization header; expected 'Bearer <jwt>'")
|
||||
if not header.startswith("Bearer "):
|
||||
return error(401, "Unauthorized")
|
||||
return error(401, "invalid Authorization header; expected 'Bearer <jwt>'")
|
||||
|
||||
supplied = header.removeprefix("Bearer ").strip()
|
||||
if not supplied:
|
||||
return error(401, "empty Bearer token")
|
||||
|
||||
supplied = header.removeprefix("Bearer ")
|
||||
try:
|
||||
claims = decode_hs256_jwt(supplied, JWT_SECRET.encode())
|
||||
return AuthContext(policy=policy_from_jwt_claims(supplied, claims))
|
||||
except ValueError:
|
||||
return error(401, "Unauthorized")
|
||||
except ValueError as exc:
|
||||
return error(401, f"invalid token: {exc}")
|
||||
|
||||
Reference in New Issue
Block a user