-
Notifications
You must be signed in to change notification settings - Fork 0
feat(auth): allow non-admin user role to use HTTP sink/IO nodes #634
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 1 commit
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
55ed4f1
feat(auth): allow non-admin user role to use HTTP sink/IO nodes
streamkit-devin 00c19eb
docs(auth): align sample skit.toml with safe HTTP node defaults
streamkit-devin b43d792
fix(auth): align sample user role with built-in secure default
streamkit-devin 72ca68d
fix(auth): tighten gateway role core nodes and align user samples
streamkit-devin 6e5d357
fix(auth): make gateway role usable and align user role with built-in
streamkit-devin fd26e79
docs(auth): note audio encoder needed for gateway audio capture
streamkit-devin 8455c91
fix(auth): mirror built-in user asset policy in sample config
streamkit-devin 4f8ebd0
docs(auth): scope gateway role comment to web-capture example
streamkit-devin File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
📝 Info: http_input/http_output are implicitly allowed for oneshot regardless of allowlist
Adding
streamkit::http_inputandstreamkit::http_outputto theuserrole'sallowed_nodesis harmless but redundant for the oneshot path:apps/skit/src/server/oneshot.rs:529-536explicitly skips these marker kinds, treating them as implicitly allowed whenever oneshot execution is permitted. The allowlist entries only have an effect at the otheris_node_allowedcall sites (sessions/websocket/mcp/validation), where these oneshot-only marker nodes would not normally appear. Net: the entries are safe and the documented gateway example is still correct, just over-specified for oneshot use.Was this helpful? React with 👍 or 👎 to provide feedback.
Debug
Playground
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks — agreed, info-only and correct. The oneshot path (
server/oneshot.rs) skips these marker kinds so they're implicitly allowed there; the allowlist entries only matter at the session/websocket/mcp/validationis_node_allowedcall sites. I'm keeping them for consistency with the documentedgatewayrole example (and the newsamples/skit.tomlrole) so the same allowlist works whether or not a node is gated — over-specified but not incorrect.