feat(mesh): support shared secret verification

- Allow the link API verifier to accept either mesh-scoped JWTs or a shared secret.
- Read SERVICELINK_MESH_SECRET from the environment for trusted Docker network calls.
- Update the servicelink submodule to include shared-secret verifier support.

routes/api/link.py

@@ -10,13 +10,14 @@ limited and body-size capped. Keep /rpc on the internal node network.
 from __future__ import annotations
 
 import base64
+import os
 
 from quart import current_app
 
 from my_modules.app.setup import LIMITER
 from my_modules.expiry import ensure_utc, parse_expires
 from my_modules.file_meta import format_size, iso_stamp_filename
-from servicelink import InvalidParams, NotFound, Router, Unauthorized, bearer_verifier, create_link_blueprint
+from servicelink import InvalidParams, NotFound, Router, Unauthorized, any_verifier, bearer_verifier, create_link_blueprint, shared_secret_verifier
 
 MAX_RPC_BODY = 16 * 1024 * 1024
 MESH_SCOPE = 'mesh'
@@ -107,5 +108,12 @@ async def _decode_access_token(token):
     raise ValueError((payload or {}).get('error', 'invalid token'))
   return payload
 
-verify = bearer_verifier(_decode_access_token, require_scope=MESH_SCOPE)
+def _build_verify():
+  # Accept a JWT access token with the mesh scope (public path) OR, on the
+  # trusted Docker network, a static shared secret from SERVICELINK_MESH_SECRET.
+  jwt = bearer_verifier(_decode_access_token, require_scope=MESH_SCOPE)
+  secret = os.getenv('SERVICELINK_MESH_SECRET')
+  return any_verifier(shared_secret_verifier(secret, scopes=(MESH_SCOPE,)), jwt) if secret else jwt
+
+verify = _build_verify()
 link_bp = create_link_blueprint(router, verify=verify, limiter=LIMITER.limit('30 per minute'), max_body=MAX_RPC_BODY)