You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Auth: recognise known OpenFn clients and use the keys we hold for them (#550)
* chore(platform): pin Bun and switch to a text-format lockfile
Pin the Bun version in .tool-versions and replace the binary bun.lockb with the text-format bun.lock so dependency changes show up in diffs. Update CI and the Dockerfile to match.
* feat(platform): add a Postgres connection pool and migration runner
Add a shared pg pool (db/index.ts) and a migration runner (db/migrate.ts) that applies the SQL files in platform/migrations in order. Includes the first migration, which creates the lightning_clients table that client auth reads from.
* feat(auth): authenticate /services/* against per-client credentials
Add an always-on authenticate hook on /services/* that maps the api_key in the request body to a Lightning client via its SHA-256 in the lightning_clients table. On a known match the inbound key is never forwarded to the LLM: it is swapped for the client's stored anthropic_api_key, or stripped to fall back to the global key when that column is null. An unknown key is forwarded only if it is sk-ant-shaped, otherwise rejected with 401. Internal Apollo-to-Apollo calls are exempt via a per-process token injected into each Python child.
Lookups are cached in memory with a single-flight, stale-while-revalidate refresh. Stored keys may be AES-256-GCM encrypted at rest. When the clients DB is unreachable the hook fails closed with 503, and decrypt, refresh and token-mismatch failures are reported to Sentry.
* feat(auth): add a client provisioning CLI
Add a client CLI (bun run client) for provisioning Lightning clients: create, list, rotate and remove rows in lightning_clients, reading secrets from stdin and encrypting them at rest. Add a migrate script to run pending migrations.
* test(auth): cover the auth hook, key resolver, CLI and startup
Add tests for the authenticate hook and key resolution, the client CLI (store, commands, secret reading), token hashing against fixed vectors, the encryption helper, the migration runner, and server startup. Extend the existing server tests to inject a configured auth instance.
* docs(auth): document client auth, the dual-DB setup and env vars
Document the client auth model in the root README and the platform/src/auth README, note the APOLLO_CLIENTS_DB_URL / POSTGRES_URL fallback and the APOLLO_ENC_KEY / APOLLO_INTERNAL_TOKEN variables in .env.example and CLAUDE.md, and add the changeset.
* ci(docker): only move :latest for final releases
Build the tag list in the manipulate-tag step and append openfn/apollo:latest
only when the version has no hyphen. Pre-release tags (e.g. 1.4.0-pre.0) now push
only their versioned image and leave :latest pointing at the last final release.
* version: 1.4.0
* remove comments
---------
Co-authored-by: Joe Clark <jclark@openfn.org>
0 commit comments