mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Treat authenticated callers with no roles as service accounts

Browse Source 
MCIAS service tokens have nil roles and may not return account_type
in the validate response. Recognize authenticated callers with a
username but no roles as service accounts for IsUser() purposes.
Explicit guest role still blocks access.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-25 20:19:14 -07:00
parent a5bb366558
commit 7f9e7f433f
1 changed files with 11 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
internal/engine/engine.go
View File

@@ -52,8 +52,10 @@ type CallerInfo struct {
IsAdmin bool IsAdmin bool
} }
// IsUser returns true if the caller is a human user with the "user" or // IsUser returns true if the caller is authorized to perform user-level
// "admin" role, or a system (service) account. Guest-only humans are excluded. // operations. Admins, system (service) accounts, and humans with the
// "user" role all qualify. Authenticated callers with no roles are treated
// as service accounts (MCIAS issues service tokens with nil roles).
func (c *CallerInfo) IsUser() bool { func (c *CallerInfo) IsUser() bool {
if c.IsAdmin { if c.IsAdmin {
return true return true
@@ -65,6 +67,13 @@ func (c *CallerInfo) IsUser() bool {
if r == "user" { if r == "user" {
return true return true
} }
if r == "guest" {
return false
}
}
// Authenticated caller with no roles — service account.
if c.Username != "" && len(c.Roles) == 0 {
return true
} }
return false return false
} }