feat: add auth verification for control plane and workers by jumski · Pull Request #444 · pgflow-dev/pgflow

jumski · 2025-11-28T07:34:47Z

Add authentication verification for Control Plane and Workers

This PR adds a comprehensive authentication plan for pgflow's Control Plane and Worker functions, ensuring sensitive operations are properly protected. Key changes include:

Added PLAN_auth-verification.md detailing the authentication requirements and implementation approach
Added PLAN_workers-start-command.md for a future CLI command to start workers with proper authentication
Updated CLI to use --secret-key instead of --publishable-key for the compile command
Modified tests to reflect the authentication changes
Updated documentation to clarify authentication requirements

The authentication model requires a Supabase service_role/secret key to protect sensitive operations like flow enumeration, compilation, and worker execution. This aligns with Supabase's recommended practices for server-side operations.

For local development, the default anon key is used, while production deployments will require setting up a proper secret key as an Edge Function environment variable.

changeset-bot · 2025-11-28T07:34:50Z

⚠️ No Changeset found

Latest commit: 15c01c6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes changesets to release 6 packages

Name	Type
pgflow	Minor
@pgflow/edge-worker	Minor
@pgflow/client	Minor
@pgflow/core	Minor
@pgflow/dsl	Minor
@pgflow/example-flows	Minor

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

chatgpt-codex-connector · 2025-11-28T07:34:55Z

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

jumski · 2025-11-28T07:35:09Z

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

merge:queue - adds this PR to the back of the merge queue
hotfix:queue - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

_{An organization admin has enabled the Graphite Merge Queue in this repository.} _{Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.}

This stack of pull requests is managed by Graphite. Learn more about stacking.

nx-cloud · 2025-11-28T07:35:46Z

View your CI Pipeline Execution ↗ for commit 15c01c6

Command	Status	Duration	Result
`nx affected -t verify-exports --base=origin/mai...`	✅ Succeeded	3s	View ↗
`nx affected -t build --configuration=production...`	✅ Succeeded	31s	View ↗
`nx affected -t lint typecheck test --parallel -...`	✅ Succeeded	3m 48s	View ↗
`nx run edge-worker:e2e`	✅ Succeeded	2m 31s	View ↗
`nx run cli:e2e`	✅ Succeeded	4s	View ↗

☁️ Nx Cloud last updated this comment at 2025-11-28 22:23:26 UTC

graphite-app · 2025-11-28T17:29:52Z

+    .addOption(
+      new Option('--secret-key [key]', 'Supabase anon/service_role key')
+        .hideHelp()
+    )


Critical bug: No default value provided for --secret-key option. The old code had DEFAULT_PUBLISHABLE_KEY as default, which was removed. When users run pgflow compile without the --secret-key flag, options.secretKey will be undefined, causing fetchFlowSQL() to send Authorization: Bearer undefined and apikey: undefined headers, breaking local development.

Fix:

const DEFAULT_ANON_KEY = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6ImFub24iLCJleHAiOjE5ODM4MTI5OTZ9.CRXP1A7WOeoJeXxjNni43kdQwgnWNReilDMblYTn_I0'; .addOption( new Option('--secret-key [key]', 'Supabase anon/service_role key') .default(DEFAULT_ANON_KEY) .hideHelp() )

Suggested change

.addOption(

new Option('--secret-key [key]', 'Supabase anon/service_role key')

.hideHelp()

)

.addOption(

new Option('--secret-key [key]', 'Supabase anon/service_role key')

.default('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZS1kZW1vIiwicm9sZSI6ImFub24iLCJleHAiOjE5ODM4MTI5OTZ9.CRXP1A7WOeoJeXxjNni43kdQwgnWNReilDMblYTn_I0')

.hideHelp()

)

Spotted by Graphite Agent

Is this helpful? React 👍 or 👎 to let us know.

github-actions · 2025-11-28T22:24:08Z

🔍 Preview Deployment: Website

✅ Deployment successful!

🔗 Preview URL: https://pr-444.pgflow.pages.dev

📝 Details:

Branch: 11-28-recommend_no-verify-jwt_for_now
Commit: 43ef900ed13c6323a112b077cac7b642024aeb44
View Logs

_Last updated: _

graphite-app · 2025-11-28T23:45:04Z

Merge activity

Nov 28, 11:45 PM UTC: jumski added this pull request to the Graphite merge queue.
Nov 28, 11:45 PM UTC: CI is running for this pull request on a draft pull request (#449) due to your merge queue CI optimization settings.
Nov 28, 11:53 PM UTC: Merged by the Graphite merge queue via draft PR: #449.

# Add authentication verification for Control Plane and Workers This PR adds a comprehensive authentication plan for pgflow's Control Plane and Worker functions, ensuring sensitive operations are properly protected. Key changes include: - Added `PLAN_auth-verification.md` detailing the authentication requirements and implementation approach - Added `PLAN_workers-start-command.md` for a future CLI command to start workers with proper authentication - Updated CLI to use `--secret-key` instead of `--publishable-key` for the compile command - Modified tests to reflect the authentication changes - Updated documentation to clarify authentication requirements The authentication model requires a Supabase service_role/secret key to protect sensitive operations like flow enumeration, compilation, and worker execution. This aligns with Supabase's recommended practices for server-side operations. For local development, the default anon key is used, while production deployments will require setting up a proper secret key as an Edge Function environment variable.

jumski mentioned this pull request Nov 28, 2025

feat: add example worker and improve flow scaffolding #443

Closed

jumski mentioned this pull request Nov 28, 2025

refactor: standardize naming to camelCase for flow slugs and kebab-case for files #442

Closed

jumski temporarily deployed to preview November 28, 2025 07:42 — with GitHub Actions Inactive

jumski force-pushed the 11-28-recommend_no-verify-jwt_for_now branch from aa73e18 to 1c2e372 Compare November 28, 2025 08:04

jumski temporarily deployed to preview November 28, 2025 08:12 — with GitHub Actions Inactive

jumski force-pushed the 11-28-recommend_no-verify-jwt_for_now branch from 1c2e372 to d9495c2 Compare November 28, 2025 17:26

graphite-app Bot reviewed Nov 28, 2025

View reviewed changes

jumski force-pushed the 11-28-recommend_no-verify-jwt_for_now branch from d9495c2 to 42ada04 Compare November 28, 2025 17:57

jumski temporarily deployed to preview November 28, 2025 18:05 — with GitHub Actions Inactive

recommend no-verify-jwt for now

15c01c6

jumski force-pushed the 11-28-recommend_no-verify-jwt_for_now branch from 42ada04 to 15c01c6 Compare November 28, 2025 22:15

jumski temporarily deployed to preview November 28, 2025 22:22 — with GitHub Actions Inactive

jumski mentioned this pull request Nov 28, 2025

chore: remove Deno dependency and update flow compilation docs #448

Closed

graphite-app Bot closed this Nov 28, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: add auth verification for control plane and workers#444

feat: add auth verification for control plane and workers#444
jumski wants to merge 1 commit into
11-27-scaffold_greetuser_example_flow_and_worker_during_install_with_quickstart_docsfrom
11-28-recommend_no-verify-jwt_for_now

jumski commented Nov 28, 2025

Uh oh!

changeset-bot Bot commented Nov 28, 2025 •

edited

Loading

Uh oh!

chatgpt-codex-connector Bot commented Nov 28, 2025

Uh oh!

jumski commented Nov 28, 2025 •

edited

Loading

Uh oh!

nx-cloud Bot commented Nov 28, 2025 •

edited

Loading

Uh oh!

graphite-app Bot Nov 28, 2025

Uh oh!

github-actions Bot commented Nov 28, 2025

Uh oh!

graphite-app Bot commented Nov 28, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

jumski commented Nov 28, 2025

Add authentication verification for Control Plane and Workers

Uh oh!

changeset-bot Bot commented Nov 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ No Changeset found

Uh oh!

chatgpt-codex-connector Bot commented Nov 28, 2025

Uh oh!

jumski commented Nov 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

How to use the Graphite Merge Queue

Uh oh!

nx-cloud Bot commented Nov 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

graphite-app Bot Nov 28, 2025

Choose a reason for hiding this comment

Uh oh!

github-actions Bot commented Nov 28, 2025

🔍 Preview Deployment: Website

Uh oh!

graphite-app Bot commented Nov 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Merge activity

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

changeset-bot Bot commented Nov 28, 2025 •

edited

Loading

jumski commented Nov 28, 2025 •

edited

Loading

nx-cloud Bot commented Nov 28, 2025 •

edited

Loading

graphite-app Bot commented Nov 28, 2025 •

edited

Loading