feat(mesh): support shared secret verification

- Allow the link API verifier to accept either mesh-scoped JWTs or a shared secret. - Read SERVICELINK_MESH_SECRET from the environment for trusted Docker network calls. - Update the servicelink submodule to include shared-secret verifier support.
2026-06-14 12:21:04 +02:00
2 changed files with 11 additions and 3 deletions
@@ -10,13 +10,14 @@ limited and body-size capped. Keep /rpc on the internal node network.
 from __future__ import annotations

 import base64
+import os

 from quart import current_app

 from my_modules.app.setup import LIMITER
 from my_modules.expiry import ensure_utc, parse_expires
 from my_modules.file_meta import format_size, iso_stamp_filename
-from servicelink import InvalidParams, NotFound, Router, Unauthorized, bearer_verifier, create_link_blueprint
+from servicelink import InvalidParams, NotFound, Router, Unauthorized, any_verifier, bearer_verifier, create_link_blueprint, shared_secret_verifier

 MAX_RPC_BODY = 16 * 1024 * 1024
 MESH_SCOPE = 'mesh'
@@ -107,5 +108,12 @@ async def _decode_access_token(token):
    raise ValueError((payload or {}).get('error', 'invalid token'))
  return payload

-verify = bearer_verifier(_decode_access_token, require_scope=MESH_SCOPE)
+def _build_verify():
+  # Accept a JWT access token with the mesh scope (public path) OR, on the
+  # trusted Docker network, a static shared secret from SERVICELINK_MESH_SECRET.
+  jwt = bearer_verifier(_decode_access_token, require_scope=MESH_SCOPE)
+  secret = os.getenv('SERVICELINK_MESH_SECRET')
+  return any_verifier(shared_secret_verifier(secret, scopes=(MESH_SCOPE,)), jwt) if secret else jwt
+
+verify = _build_verify()
 link_bp = create_link_blueprint(router, verify=verify, limiter=LIMITER.limit('30 per minute'), max_body=MAX_RPC_BODY)