Skip to content

fix(auth): verify against backup signing secret + harden secret time/cache#3079

Open
xilosada wants to merge 1 commit into
masterfrom
auth-secret-verify
Open

fix(auth): verify against backup signing secret + harden secret time/cache#3079
xilosada wants to merge 1 commit into
masterfrom
auth-secret-verify

Conversation

@xilosada

Copy link
Copy Markdown
Member

What

Hardens JWT signing-secret handling so secret rotation is safe to enable.

  • verify_token falls back to an unexpired backup secret on signature failure, so rotating the signing secret no longer invalidates outstanding tokens.
  • Replaces panicking SystemTime unwraps with a checked epoch helper.
  • Re-reads secrets from storage on version mismatch so processes stay consistent after an out-of-process rotation.

Rotation itself stays disabled in this PR; it is enabled in a follow-up.

Tests

cargo test -p mero-auth green (68 passed). New: verify-after-rotation falls back to backup; rejected once the backup is evicted; foreign-signed token rejected.

Hardens JWT secret handling so signing-secret rotation is safe to enable:
- verify_token falls back to an unexpired backup secret on signature failure,
  so a rotation no longer invalidates outstanding tokens
- replace panicking system-time unwraps with a checked epoch helper
- re-read secrets from storage on version mismatch so replicas stay consistent

Rotation itself stays disabled here; it is enabled in a later change.
@github-actions

Copy link
Copy Markdown

Your PR title does not adhere to the Conventional Commits convention:

<type>(<scope>): <subject>

Common errors to avoid:

  1. The title must be in lower case.
  2. Allowed type values are: build, ci, docs, feat, fix, perf, refactor, test.

@meroreviewer meroreviewer Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 MeroReviewer

Reviewed by 1 agents | Quality score: 85% | Review time: 80.2s


✅ No Issues Found

All agents reviewed the code and found no issues. LGTM! 🎉


🤖 Generated by MeroReviewer | Review ID: review-0a548129

@meroreviewer

meroreviewer Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Documentation Review

The following documentation may need updates based on the changes in this PR:

  • 🟡 architecture/crates/auth.html: Files matching crates/auth/** were changed but architecture/crates/auth.html was not updated (per source_to_docs_mapping).

@github-actions

Copy link
Copy Markdown

E2E Rust Apps Failed

One or more E2E workflows (scaffolding-e2e, xcall-example) failed.

Please check the workflow logs for more details.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

This pull request has been automatically marked as stale. If this pull request is still relevant, please leave any comment (for example, "bump"), and we'll keep it open. We are sorry that we haven't been able to prioritize reviewing it yet. Your contribution is very much appreciated.

@github-actions github-actions Bot added the Stale label Jul 7, 2026
@frdomovic frdomovic changed the title auth: verify against backup signing secret + harden secret time/cache fix(auth): verify against backup signing secret + harden secret time/cache Jul 13, 2026
@frdomovic

Copy link
Copy Markdown
Member

bump — still relevant. Closes security-review items 14 (verify against unexpired backup secret) and 21b (checked epoch helper). Base of the #3082#3083 stack; must land before rotation is enabled in #3083. Doc-bot advisory (auth.html) is handled by update-docs on merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants