feat(merkleservice): forward CallbackToken to merkle-service /watch#131
Merged
Conversation
…tration Arcade's /api/v1/merkle-service/callback requires bearer-token auth via cfg.CallbackToken (PR #112 / F-018), but the /watch registration to merkle-service didn't tell merkle-service what token to send back. Result: merkle-service calls arcade with no Authorization header and gets 401. Register/RegisterBatch now accept a callback-token argument and emit it in the watchRequest JSON. The propagator passes cfg.CallbackToken through. Empty tokens omit the field so older deployments without a configured token continue to work as today (with the same 401 they already get from the inbound check, which is the correct fail-closed behaviour). Pairs with merkle-service PR <leave-placeholder> which makes the receiving end actually store and forward the token on outbound delivery. Both PRs must merge before authenticated callbacks work.
github-actions
Bot
added
size/M
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
merkleservice.Client.Register/RegisterBatchnow accept and forward arcade's configuredcfg.CallbackTokenin the/watchrequest body.p.cfg.CallbackTokenthrough to every Register call.omitempty) so back-compat is preserved.Closes the arcade half of the broken callback-auth loop:
Authorization: Bearer <cfg.CallbackToken>on inbound /merkle-service/callback (PR fix(api_server): require CallbackToken for Merkle callback endpoint (#76) #112).Test plan
go build ./...go vet ./...go test ./merkleservice/... ./services/propagation/... -raceRegistertest asserts the request body containscallbackTokenwhen set, omits it when emptyCoordination
This PR is harmless on its own - merkle-service silently ignores unknown JSON fields, so behaviour is unchanged until the merkle-service PR also lands. Recommend merging both within the same window; on rollout the arcade-v2 testnet and teratestnet flux configmaps need a callback_token added (mainnet already has one). See plan in /home/dylan/.claude/plans/in-this-directory-we-serene-star.md for the flux diff.