fix: dogfood workflow + auth bug allowing cross-org OAuth#536
Merged
Conversation
The earlier dogfood PR invented LOBU_DOGFOOD_ANTHROPIC_API_KEY out of nothing. The repo already has ANTHROPIC_API_KEY (used by issue-triage, claude.yml). Use that one instead. Also pin --org atlas explicitly so the workflow targets the Atlas org regardless of what the LOBU_TOKEN's default context is set to. The example dir lives under examples/atlas and its memory.owletto.org is 'atlas', so the apply target should match.
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
github-actions
Bot
added
the
triage:needs-human
Contributor
|
Triage decision: Reasons:
Next: awaiting manual review and merge by assigned reviewer |
Discovered while bootstrapping #533's dogfood workflow: 'lobu token create --org atlas' from a buremba-bound CLI session failed with 'Token organization does not match URL organization', making it impossible to mint a PAT for any org other than the one the user happened to OAuth into via 'lobu login'. Root cause: mcpAuth strict-matched the URL org slug against the bearer's bound org for every token type. PATs SHOULD be strict — a PAT minted for org A must never be usable against org B even if the owner has membership in both. OAuth bearers shouldn't — they bind to one org at consent time but the user typically has memberships in many, and the membership check immediately below was already the real authorization gate. Fix: keep the strict match for PATs; fall through to the URL slug for OAuth and let the membership check decide. The bootstrap path now works ('lobu token create --org X' from any active OAuth session), without weakening PAT scoping. Tests: 'should reject org-bound PAT on a different organization route' still asserts the strict PAT behavior (no behavior change). Two new tests cover the OAuth path: cross-org with membership -> allowed; cross-org without membership -> 403 'not a member'.
buremba
changed the title
Contributor
|
Triage decision: Reasons:
Next: awaiting manual review and merge by assigned reviewer |
Two CI follow-ups: 1. The cross-org OAuth test was asserting status === 200, but reaching 200 requires the full MCP initialize+notifications/initialized handshake; tools/list without a session returns 400 even when auth passes. The whole point of the test is to prove the auth gate no longer 403s on cross-org OAuth — assert that explicitly instead. 2. The dogfood apply job dies with 'Missing 1 required secret: *$ANTHROPIC_API_KEY' because the repo doesn't have an ANTHROPIC_API_KEY secret yet (issue-triage.yml references it but never had it set; secrets that don't exist evaluate to empty in Actions). Extend the existing skip-if-no-token gate to also skip when ANTHROPIC_API_KEY is empty, with the same exit-0 semantics. Once the secret is added the apply will run automatically.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two fixes bundled:
1. Workflow secret naming (originally #533 follow-up)
secrets.LOBU_DOGFOOD_ANTHROPIC_API_KEYto the existingANTHROPIC_API_KEY(used byissue-triage.yml/claude.yml).--org atlason dry-run + apply so the workflow targets Atlas regardless of the LOBU_TOKEN's default context.2.
lobu token create --org Xbug (the real fix)Found while bootstrapping the dogfood: minting a PAT for any org other than the user's OAuth-bound one returns 403
Token organization does not match URL organization.mcpAuthstrict-matched the URL slug against every bearer's bound org.PATs intentionally org-scoped (correct — keep strict). OAuth bearers bind to whichever org the user picked at consent time but users typically have memberships in many orgs, and the membership check at
multi-tenant.ts:379was already the real authorization gate.Fix: keep strict for PATs; fall through to the URL slug for OAuth and let the membership check decide.
lobu token create --org Xnow works from any active OAuth session (assuming the user has admin role in X).Tests
not a member.bun run typecheck,bun run format:checkclean.