yusiboyz/platform
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

Gateway Trust Model: Protect Internal Services and Service-Level Data #5

New Issue
Closed
opened 2026-03-29 08:35:00 -05:00 by yusiboyz · 4 comments
yusiboyz commented 2026-03-29 08:35:00 -05:00
Owner
Copy Link

This issue covers gateway trust boundaries and internal service authentication.

Problems:

  • Gateway still treats inventory, budget, reader, books, and music as service-level backends
  • Inventory and Budget are still unauthenticated services
  • Gateway dashboard still pulls global data from those services for any authenticated platform user
  • Service token validation for some services still uses weak health-check semantics

Files:

  • gateway/server.py
  • gateway/dashboard.py
  • services/inventory/server.js
  • services/budget/server.js

Acceptance criteria:

  • Inventory and Budget are protected by an auth layer, even on internal networks
  • Gateway no longer exposes service-global data to arbitrary platform users
  • Dashboard widgets only return data the current user is authorized to see
  • Service trust model is documented and enforced consistently
This issue covers gateway trust boundaries and internal service authentication. Problems: - Gateway still treats inventory, budget, reader, books, and music as service-level backends - Inventory and Budget are still unauthenticated services - Gateway dashboard still pulls global data from those services for any authenticated platform user - Service token validation for some services still uses weak health-check semantics Files: - gateway/server.py - gateway/dashboard.py - services/inventory/server.js - services/budget/server.js Acceptance criteria: - Inventory and Budget are protected by an auth layer, even on internal networks - Gateway no longer exposes service-global data to arbitrary platform users - Dashboard widgets only return data the current user is authorized to see - Service trust model is documented and enforced consistently
yusiboyz added this to the Immediate milestone 2026-03-29 08:43:50 -05:00
yusiboyz commented 2026-03-29 09:06:55 -05:00
Author
Owner
Copy Link

Partial fix in commit fcb9383

Changes:

  • services/inventory/server.js: Added X-API-Key middleware, rejects 401 without key
  • services/budget/server.js: Added X-API-Key middleware, rejects 401 without key
  • gateway/server.py: Proxy injects INVENTORY_SERVICE_API_KEY and BUDGET_SERVICE_API_KEY
  • gateway/dashboard.py: Dashboard fetchers inject API keys
  • gateway/config.py: Added INVENTORY_SERVICE_API_KEY, BUDGET_SERVICE_API_KEY
  • docker-compose.yml: SERVICE_API_KEY env vars for both services + gateway

Verified:

  • Inventory without key: 401 Unauthorized
  • Inventory with key: 200 (data returned)
  • Budget without key: 401 Unauthorized
  • Budget with key: 200 (data returned)
  • Dashboard aggregation works with keys
  • Frontend proxy chain works end-to-end

Remaining:

  • Document trust model
  • Validate service token semantics for fitness/trips
**Partial fix in commit fcb9383** Changes: - `services/inventory/server.js`: Added X-API-Key middleware, rejects 401 without key - `services/budget/server.js`: Added X-API-Key middleware, rejects 401 without key - `gateway/server.py`: Proxy injects INVENTORY_SERVICE_API_KEY and BUDGET_SERVICE_API_KEY - `gateway/dashboard.py`: Dashboard fetchers inject API keys - `gateway/config.py`: Added INVENTORY_SERVICE_API_KEY, BUDGET_SERVICE_API_KEY - `docker-compose.yml`: SERVICE_API_KEY env vars for both services + gateway Verified: - Inventory without key: 401 Unauthorized - Inventory with key: 200 (data returned) - Budget without key: 401 Unauthorized - Budget with key: 200 (data returned) - Dashboard aggregation works with keys - Frontend proxy chain works end-to-end Remaining: - Document trust model - Validate service token semantics for fitness/trips
yusiboyz commented 2026-03-29 10:13:12 -05:00
Author
Owner
Copy Link

Fixed in 4ecd233 — Token validation uses protected endpoints. Trust model documented in docs/trust-model.md. Unknown services rejected.

**Fixed in 4ecd233** — Token validation uses protected endpoints. Trust model documented in docs/trust-model.md. Unknown services rejected.
yusiboyz commented 2026-03-29 13:50:24 -05:00
Author
Owner
Copy Link

Completed in 7a7286a — SERVICE_LEVEL_AUTH renamed to GATEWAY_KEY_SERVICES. /debug-nocodb removed. NocoDB search sanitized (strips filter operators). Token validation uses protected endpoints per service type.

**Completed in 7a7286a** — SERVICE_LEVEL_AUTH renamed to GATEWAY_KEY_SERVICES. /debug-nocodb removed. NocoDB search sanitized (strips filter operators). Token validation uses protected endpoints per service type.
yusiboyz commented 2026-03-29 15:17:41 -05:00
Author
Owner
Copy Link

Completed. Removed /test endpoint from inventory. Trust model doc rewritten with accurate per-user vs gateway-key distinction, known limitations documented. No remaining debug surfaces.

**Completed.** Removed /test endpoint from inventory. Trust model doc rewritten with accurate per-user vs gateway-key distinction, known limitations documented. No remaining debug surfaces.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
auth
critical
dependencies
high
immediate
medium
next
ops
performance
security
No Label
Milestone
No items
No Milestone Immediate
Projects
Clear projects
No project
Assignees
Clear assignees
yusiboyz
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: yusiboyz/platform#5
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?