00cff51ce5
All checks were successful
Closes the open broker (anonymous publish to any tenant's corrosion.*).
Per-license isolation via NATS user/password + subject permissions:
each license -> user=license_id, password=HMAC-SHA256(license_id,
NATS_TOKEN_SECRET), scoped to corrosion.{license_id}.> + _INBOX. Backend
uses a privileged internal user.
- Agent (alpha.5): nats_user/nats_password config + env, user_and_password
auth; falls back to token/anonymous (transition-safe)
- Backend: connects with NATS_INTERNAL_USER/PASSWORD when set, else anon
- scripts/generate-nats-auth.mjs: regenerates nats-auth.conf from the
licenses table; NATS_AUTH_STAGE=open keeps a no_auth_user fallback
(verify creds first), =enforce rejects anonymous
- committed nats-auth.conf is the SAFE OPEN default (no secrets); the
host copy carries real users and is not committed
- compose: NATS_INTERNAL_USER/PASSWORD/NATS_TOKEN_SECRET, mount nats-auth.conf
Entirely non-breaking until secrets+config deployed; staged cutover next.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
13 lines
528 B
Plaintext
13 lines
528 B
Plaintext
# SAFE OPEN DEFAULT — anonymous full access, no secrets. Same behavior as the
|
|
# pre-auth broker so fresh deploys and the repo stay valid.
|
|
#
|
|
# Regenerated on deploy by scripts/generate-nats-auth.mjs with the privileged
|
|
# internal user + per-license scoped users (those carry secrets and must NOT be
|
|
# committed — mark the host copy with `git update-index --assume-unchanged`).
|
|
authorization {
|
|
users: [
|
|
{ user: "anonymous", password: "", permissions: { publish: ">", subscribe: ">" } }
|
|
]
|
|
no_auth_user: "anonymous"
|
|
}
|