fix: allow vault info under path scope and clarify API errors
Build and Push Docker Container / build-and-push (push) Successful in 4m29s

- Allow vault and vaults commands when a token has path restrictions

- Treat vault/vaults as pathless metadata commands in policy checks

- Add allowed commands, vaults and paths to 403 permission errors

- Surface real JWT failure reason in 401 instead of generic Unauthorized

- Report missing, malformed and empty Bearer tokens distinctly

- Catch httpRequest failures in the n8n node to avoid circular JSON

- Map API errors to clean NodeApiError with status code and detail

- Support continueOnFail with per-item error output in the n8n node

- Push a versioned image tag from pyproject in the CI workflow

- Bump server to 1.0.2 and n8n node package to 0.2.1

- Add tests for vault info access and richer auth error messages
This commit is contained in:
2026-06-24 11:41:18 +02:00
parent be78e3aa00
commit 3bda4002fe
9 changed files with 184 additions and 53 deletions
+9 -4
View File
@@ -73,12 +73,17 @@ def require_auth(request:Request) -> AuthContext|JSONResponse:
return error(500, "OBSIDIAN_JWT_SECRET is required")
header = request.headers.get("authorization", "")
if not header:
return error(401, "missing Authorization header; expected 'Bearer <jwt>'")
if not header.startswith("Bearer "):
return error(401, "Unauthorized")
return error(401, "invalid Authorization header; expected 'Bearer <jwt>'")
supplied = header.removeprefix("Bearer ").strip()
if not supplied:
return error(401, "empty Bearer token")
supplied = header.removeprefix("Bearer ")
try:
claims = decode_hs256_jwt(supplied, JWT_SECRET.encode())
return AuthContext(policy=policy_from_jwt_claims(supplied, claims))
except ValueError:
return error(401, "Unauthorized")
except ValueError as exc:
return error(401, f"invalid token: {exc}")