Skip to content

feat(OBE-9898): always require a token, read site_version from claim#108

Draft
saurabhchauhan-s1 wants to merge 1 commit into
masterfrom
add_site_version_vector
Draft

feat(OBE-9898): always require a token, read site_version from claim#108
saurabhchauhan-s1 wants to merge 1 commit into
masterfrom
add_site_version_vector

Conversation

@saurabhchauhan-s1
Copy link
Copy Markdown

@saurabhchauhan-s1 saurabhchauhan-s1 commented Jun 4, 2026

The vector source's auth drops the require_token config knob: a valid bearer token is now always required, removing the legacy require_token=false bypass that accepted unauthenticated pushes. The site's version is read from the validated JWT's site_version claim (stamped by the manager auth-service, OBE-9896) and logged for telemetry / future per-version policy.

  • jwt_auth.rs: remove AuthConfig.require_token, default_require_token, Inner.require_token; authenticate() rejects a missing authorization header unconditionally; read SITE_VERSION_CLAIM from the decoded claims.
  • sources/vector/mod.rs: delete the legacy and now-redundant require_token tests, rename the kept ones to the unconditional behavior.
  • test_util/jwt_auth.rs: drop require_token from the shared build_auth helper.

Summary

Vector configuration

How did you test this PR?

Change Type

  • Bug fix
  • New feature
  • Dependencies
  • Non-functional (chore, refactoring, docs)
  • Performance

Is this a breaking change?

  • Yes
  • No

Does this PR include user facing changes?

  • Yes. Please add a changelog fragment based on our guidelines.
  • No. A maintainer will apply the no-changelog label to this PR.

References

Notes

  • Please read our Vector contributor resources.
  • Do not hesitate to use @vectordotdev/vector to reach out to us regarding this PR.
  • Some CI checks run only after we manually approve them.
    • We recommend adding a pre-push hook, please see this template.
    • Alternatively, we recommend running the following locally before pushing to the remote branch:
      • make fmt
      • make check-clippy (if there are failures it's possible some of them can be fixed with make clippy-fix)
      • make test
  • After a review is requested, please avoid force pushes to help us review incrementally.
    • Feel free to push as many commits as you want. They will be squashed into one before merging.
    • For example, you can run git merge origin master and git push.
  • If this PR introduces changes Vector dependencies (modifies Cargo.lock), please
    run make build-licenses to regenerate the license inventory and commit the changes (if any). More details on the dd-rust-license-tool.

@saurabhchauhan-s1 @claude
feat(OBE-9898): always require a token, read site_version from claim
af3694a 
The vector source's auth drops the require_token config knob: a valid bearer token is now always required, removing the legacy require_token=false bypass that accepted unauthenticated pushes. The site's version is read from the validated JWT's site_version claim (stamped by the manager auth-service, OBE-9896) and logged for telemetry / future per-version policy.

- jwt_auth.rs: remove AuthConfig.require_token, default_require_token, Inner.require_token; authenticate() rejects a missing authorization header unconditionally; read SITE_VERSION_CLAIM from the decoded claims.
- sources/vector/mod.rs: delete the legacy and now-redundant require_token tests, rename the kept ones to the unconditional behavior.
- test_util/jwt_auth.rs: drop require_token from the shared build_auth helper.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@saurabhchauhan-s1