From 4deb469a9db5050bfa53f315a9ca7360d9c42550 Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Sun, 15 Mar 2026 13:42:43 -0700
Subject: [PATCH] Fix missing gRPC interceptor registrations for RevokeCert,
 DeleteCert, SignCSR

RevokeCert and DeleteCert were not registered in sealRequired, authRequired,
or adminRequired method sets, so the auth interceptor never ran for those
calls and CallerInfo arrived as nil, producing "authentication required".
SignCSR had the same gap in sealRequired and authRequired.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .junie/memory/language.json   | 2 +-
 internal/grpcserver/server.go | 8 ++++++++
 internal/webserver/routes.go  | 6 ++++++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/.junie/memory/language.json b/.junie/memory/language.json
index c3965f7..800d49d 100644
--- a/.junie/memory/language.json
+++ b/.junie/memory/language.json
@@ -1 +1 @@
-[{"lang":"en","usageCount":37}]
\ No newline at end of file
+[{"lang":"en","usageCount":39}]
\ No newline at end of file
diff --git a/internal/grpcserver/server.go b/internal/grpcserver/server.go
index 85666db..5cc93f9 100644
--- a/internal/grpcserver/server.go
+++ b/internal/grpcserver/server.go
@@ -126,6 +126,9 @@ func sealRequiredMethods() map[string]bool {
 		"/metacrypt.v2.CAService/GetCert":          true,
 		"/metacrypt.v2.CAService/ListCerts":        true,
 		"/metacrypt.v2.CAService/RenewCert":        true,
+		"/metacrypt.v2.CAService/SignCSR":          true,
+		"/metacrypt.v2.CAService/RevokeCert":       true,
+		"/metacrypt.v2.CAService/DeleteCert":       true,
 		"/metacrypt.v2.PolicyService/CreatePolicy": true,
 		"/metacrypt.v2.PolicyService/ListPolicies": true,
 		"/metacrypt.v2.PolicyService/GetPolicy":    true,
@@ -153,6 +156,9 @@ func authRequiredMethods() map[string]bool {
 		"/metacrypt.v2.CAService/GetCert":          true,
 		"/metacrypt.v2.CAService/ListCerts":        true,
 		"/metacrypt.v2.CAService/RenewCert":        true,
+		"/metacrypt.v2.CAService/SignCSR":          true,
+		"/metacrypt.v2.CAService/RevokeCert":       true,
+		"/metacrypt.v2.CAService/DeleteCert":       true,
 		"/metacrypt.v2.PolicyService/CreatePolicy": true,
 		"/metacrypt.v2.PolicyService/ListPolicies": true,
 		"/metacrypt.v2.PolicyService/GetPolicy":    true,
@@ -173,6 +179,8 @@ func adminRequiredMethods() map[string]bool {
 		"/metacrypt.v2.CAService/ImportRoot":       true,
 		"/metacrypt.v2.CAService/CreateIssuer":     true,
 		"/metacrypt.v2.CAService/DeleteIssuer":     true,
+		"/metacrypt.v2.CAService/RevokeCert":       true,
+		"/metacrypt.v2.CAService/DeleteCert":       true,
 		"/metacrypt.v2.PolicyService/CreatePolicy": true,
 		"/metacrypt.v2.PolicyService/DeletePolicy": true,
 		"/metacrypt.v2.ACMEService/SetConfig":      true,
diff --git a/internal/webserver/routes.go b/internal/webserver/routes.go
index 7f580a2..ba87941 100644
--- a/internal/webserver/routes.go
+++ b/internal/webserver/routes.go
@@ -479,6 +479,12 @@ func (ws *WebServer) handleIssuerDetail(w http.ResponseWriter, r *http.Request)
 }
 
 func (ws *WebServer) handleIssueCert(w http.ResponseWriter, r *http.Request) {
+	// Disable the server-wide write deadline for this handler: it streams a
+	// tgz response only after several serial gRPC calls, which can easily
+	// consume the 30 s WriteTimeout before we start writing.  We set our own
+	// 60 s deadline just before the write phase below.
+	_ = http.NewResponseController(w).SetWriteDeadline(time.Time{})
+
 	info := tokenInfoFromContext(r.Context())
 	token := extractCookie(r)