Skip to content

verify #1842 local issue-create fix actually resolves AUTH_REQUIRED on the encryption-on path #1856

Description

@markmhendrickson

Follow-up from the v0.18.4 security review of #1842 (local-loopback auth fallback for /issues/submit + /issues/add_message).

The adversarial review (docs/releases/in_progress/v0.18.4/security_review.md, finding F5) noted a possible efficacy gap, not a security issue:

  • With encryption off, the global auth gate already stamps the local user for any local no-Bearer request before the handler runs, making the new routeAllowsLocalIssueWriteFallback branch effectively redundant.
  • With encryption on, a no-credential local request may be gated earlier, so it's unverified end-to-end that the new branch actually closes the original AUTH_REQUIRED symptom Jacob hit.

The change is safe in all configurations (it never loosens auth beyond the global gate, and the remote-no-bearer 401 regression test passes). This issue is only to confirm the fix is effective for the encryption-on local/offline configuration that the reporter runs, and add an integration test for that exact path if a gap is found.

Acceptance: an integration test that reproduces the reporter's encryption-on offline config and asserts issues create succeeds without a bearer (or, if the global gate already handles it, document that and close).

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions