Skip to content

[fix] Authorize resource watches on the holder#408

Open
St4NNi wants to merge 12 commits into
mainfrom
fix/watch-read-permission
Open

[fix] Authorize resource watches on the holder#408
St4NNi wants to merge 12 commits into
mainfrom
fix/watch-read-permission

Conversation

@St4NNi

@St4NNi St4NNi commented Jul 12, 2026

Copy link
Copy Markdown
Member

Closes #350

The node that owns a watch subscription's durable state did not check whether the owner may read the path being watched.

  • The holder side RPC create only verified that it was the correct inbox holder for the owner, then persisted and replicated the subscription on the calling peer's assertion. The API node authorized first, so this path was only reachable when the owner's inbox holder was a different node, but that node is the one that owns the state. Authorization now happens at the single choke point that both the local API arm and the holder RPC pass through, so no create path can skip it. Two existing tests created watches over the wire with no authorization documents installed and passed; they now install authorization and fail closed without it.
  • Enumeration was never re-checked, so revoking read permission left existing watches listable. Listing now filters on current authorization. The stored row is kept and filtered at the surface rather than deleted.
  • Watch creation distinguished a nonexistent group from an unreadable one, because the watch routes used the shared permission helper that maps every error to 500, while the metadata routes deliberately answer 403 for both. All watch surfaces now answer identically, so creation is not an existence oracle. Malformed prefixes still answer 400, which leaks nothing.

Anonymous watchers are refused even for publicly readable resources. A watch needs a durable per-user inbox to deliver into, and an anonymous principal has no inbox identity, so every anonymous watcher would collapse into one shared inbox key.

@St4NNi St4NNi force-pushed the fix/watch-read-permission branch from dc25e98 to 8c9b3a0 Compare July 13, 2026 17:07
@St4NNi St4NNi force-pushed the fix/watch-read-permission branch from c8e91f2 to 555c6bd Compare July 14, 2026 14:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[fix] Require read permission for resource watches

1 participant