From 28d6f9fa1fbc4957039e89df60802452ff09a86c Mon Sep 17 00:00:00 2001 From: Kyle Isom Date: Fri, 27 Mar 2026 02:24:11 -0700 Subject: [PATCH] Fix ListIssuers auth: move from public to auth-required methods MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ListIssuers was miscategorized as a public gRPC method, but the CA engine handler requires CallerInfo with user role. When called without auth (public path), the interceptor skipped token validation, so CallerInfo was nil and the handler returned ErrUnauthorized — which the web UI silently swallowed, showing "No issuers configured." Security: gRPC interceptor map correction (ListIssuers requires auth) Co-Authored-By: Claude Opus 4.6 (1M context) --- internal/grpcserver/server.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/grpcserver/server.go b/internal/grpcserver/server.go index fa2e041..0b9141b 100644 --- a/internal/grpcserver/server.go +++ b/internal/grpcserver/server.go @@ -160,7 +160,6 @@ func publicMethods() map[string]bool { // CA read-only — public certificates and chains. "/metacrypt.v2.CAService/GetRoot": true, "/metacrypt.v2.CAService/GetIssuer": true, - "/metacrypt.v2.CAService/ListIssuers": true, "/metacrypt.v2.CAService/GetChain": true, // SSH CA — public key and key revocation list. "/metacrypt.v2.SSHCAService/GetCAPublicKey": true, @@ -175,6 +174,7 @@ func authRequiredMethods() map[string]bool { "/metacrypt.v2.AuthService/Logout": true, "/metacrypt.v2.AuthService/TokenInfo": true, "/metacrypt.v2.EngineService/ListMounts": true, + "/metacrypt.v2.CAService/ListIssuers": true, "/metacrypt.v2.CAService/IssueCert": true, "/metacrypt.v2.CAService/GetCert": true, "/metacrypt.v2.CAService/ListCerts": true,