Skip to content

[SC-16780] Allow machine keys on admin endpoints#122

Merged
even-steven merged 2 commits into
mainfrom
stevenchand/sc-16780/aa-embed-atryum-functionality-in-validmind
Jun 30, 2026
Merged

[SC-16780] Allow machine keys on admin endpoints#122
even-steven merged 2 commits into
mainfrom
stevenchand/sc-16780/aa-embed-atryum-functionality-in-validmind

Conversation

@even-steven

Copy link
Copy Markdown
Contributor

Summary

  • Extends AdminMiddleware to accept X-API-Key / X-API-Secret as a trusted machine-caller path on admin endpoints (/api/v1/admin/...), in addition to the existing OAuth Bearer-token path used by the human admin UI
  • When valid machine key credentials are present, the request is admitted immediately without requiring a JWT; wrong keys return 401 without falling through to Bearer
  • This lets server-to-server callers (e.g. the ValidMind backend proxy) use the same static credentials they already use for reporting endpoints — no separate admin_bearer_token config or Keycloak service-account client-credentials flow needed

Test plan

  • Run go test ./internal/auth/... — all existing tests pass, new TestAdminMiddlewareMachineKeyBypassesBearer covers valid keys, wrong secret, and Bearer fallback
  • Verify ValidMind backend can call admin endpoints using vm_to_atryum_api_key / vm_to_atryum_api_secret from vmconfig
  • Verify human admin UI login via Bearer JWT still works (no X-API-Key headers sent from browser)

Made with Cursor

Extend AdminMiddleware to accept X-API-Key / X-API-Secret as a trusted
machine-caller path in addition to the existing OAuth Bearer-token path.

When valid machine key credentials are present, the request is admitted
immediately without requiring a JWT. Wrong keys short-circuit with 401
rather than falling through to the Bearer path. No API-key headers falls
through to the existing Bearer validation for human admin UI logins.

This lets server-to-server callers (e.g. the ValidMind backend proxy)
use the same static credentials they already have for reporting
endpoints, removing the need for a separate admin_bearer_token config
or a Keycloak service-account client-credentials flow.

Co-authored-by: Cursor <cursoragent@cursor.com>
@even-steven even-steven self-assigned this Jun 29, 2026
@CLAassistant

CLAassistant commented Jun 29, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@mdeyell-valid-mind

Copy link
Copy Markdown
Contributor

The code looks good but the toml comment for [api_key] should be updated. The docs should also mention that [api_key] now can be used to access the admin endpoints when it is set

@even-steven

Copy link
Copy Markdown
Contributor Author

The code looks good but the toml comment for [api_key] should be updated. The docs should also mention that [api_key] now can be used to access the admin endpoints when it is set

Done, thank you

@even-steven even-steven removed the request for review from gtagle June 29, 2026 23:42
@even-steven even-steven merged commit c4ee17f into main Jun 30, 2026
4 checks passed
@even-steven even-steven deleted the stevenchand/sc-16780/aa-embed-atryum-functionality-in-validmind branch June 30, 2026 17:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants