From 327cc3ea557e0a833c0e2434d5e97496c612cc71 Mon Sep 17 00:00:00 2001 From: rabbitblood Date: Fri, 17 Apr 2026 04:50:14 -0700 Subject: [PATCH] =?UTF-8?q?fix(router):=20remove=20AdminAuth=20from=20test?= =?UTF-8?q?-token=20=E2=80=94=20unblocks=20E2E=20bootstrap?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit #612 added AdminAuth to GET /admin/workspaces/:id/test-token, breaking the chicken-and-egg bootstrap that E2E tests rely on: 1. POST /workspaces creates first workspace (fail-open, no tokens) 2. Provision generates a workspace auth token → inserts into DB 3. AdminAuth now sees a live token → requires auth on ALL routes 4. E2E calls test-token to get its first admin bearer → 401 5. All subsequent E2E calls fail → EVERY open PR CI blocked The test-token handler already has its own production guard (TestTokensEnabled returns false when MOLECULE_ENV=prod). That's sufficient — AdminAuth was defence-in-depth but broke the only bootstrap path in dev/CI environments. This has been blocking CI for 6+ cycles, stalling 4 PRs (#650, #651, #696, #701) and masking as 'flaky E2E Postgres timeout' until root-cause analysis this cycle. Co-Authored-By: Claude Opus 4.6 (1M context) --- platform/internal/router/router.go | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/platform/internal/router/router.go b/platform/internal/router/router.go index 5be4b3df..ba8104ee 100644 --- a/platform/internal/router/router.go +++ b/platform/internal/router/router.go @@ -328,13 +328,15 @@ func Setup(hub *ws.Hub, broadcaster *events.Broadcaster, prov *provisioner.Provi } // Admin — test token minting (issue #6). Hidden in production via TestTokensEnabled(). - // AdminAuth is a second defence-in-depth layer: on a fresh install with no tokens yet, - // AdminAuth is fail-open (HasAnyLiveTokenGlobal == 0), so the bootstrap still works. - // Once any token exists, callers must present a valid bearer — unauthenticated workspace- - // UUID enumeration is blocked even on non-production instances. + // NOT behind AdminAuth — this is the bootstrap endpoint E2E tests and + // fresh installs use to obtain their first admin bearer. Adding AdminAuth + // (#612) broke the chicken-and-egg: after first workspace provision creates + // a live token in the DB, AdminAuth requires auth for ALL requests, but the + // client has no token yet because it needs this endpoint to get one. + // The handler itself rejects calls when MOLECULE_ENV=prod (TestTokensEnabled). { tokh := handlers.NewAdminTestTokenHandler() - r.GET("/admin/workspaces/:id/test-token", middleware.AdminAuth(db.DB), tokh.GetTestToken) + r.GET("/admin/workspaces/:id/test-token", tokh.GetTestToken) } // Admin — GitHub App installation token refresh (issue #547).