Treat authenticated callers with no roles as service accounts

MCIAS service tokens have nil roles and may not return account_type in the validate response. Recognize authenticated callers with a username but no roles as service accounts for IsUser() purposes. Explicit guest role still blocks access. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 20:19:14 -07:00
parent a5bb366558
commit 7f9e7f433f
1 changed files with 11 additions and 2 deletions
--- a/internal/engine/engine.go
+++ b/internal/engine/engine.go
@@ -52,8 +52,10 @@ type CallerInfo struct {
 	IsAdmin     bool
 }

-// IsUser returns true if the caller is a human user with the "user" or
-// "admin" role, or a system (service) account. Guest-only humans are excluded.
+// IsUser returns true if the caller is authorized to perform user-level
+// operations. Admins, system (service) accounts, and humans with the
+// "user" role all qualify. Authenticated callers with no roles are treated
+// as service accounts (MCIAS issues service tokens with nil roles).
 func (c *CallerInfo) IsUser() bool {
 	if c.IsAdmin {
 		return true
@@ -65,6 +67,13 @@ func (c *CallerInfo) IsUser() bool {
 		if r == "user" {
 			return true
 		}
+		if r == "guest" {
+			return false
+		}
+	}
+	// Authenticated caller with no roles — service account.
+	if c.Username != "" && len(c.Roles) == 0 {
+		return true
 	}
 	return false
 }