Skip to content

fix(moq-relay): allow connecting to parent of token root#1247

Merged
kixelated merged 3 commits into
mainfrom
fix/relay-parent-root
Apr 9, 2026
Merged

fix(moq-relay): allow connecting to parent of token root#1247
kixelated merged 3 commits into
mainfrom
fix/relay-parent-root

Conversation

@kixelated

Copy link
Copy Markdown
Collaborator

Summary

  • Allow clients to connect to a parent path of their token's root (e.g., connect to / with token root demo). Permissions are automatically scoped to the token's root.
  • Simplify permission scoping logic by extracting a shared scope closure for subscribe/publish filtering.
  • Update boy service to use /bin/bash -c for shell expansion in ExecStart (systemd doesn't expand $(cmd)).
  • Document the new connection path behavior in auth docs.

Test plan

  • 44 unit tests pass (4 new tests for parent-path connections)
  • Deploy and verify boy services connect successfully
  • Verify existing JWT-authenticated clients still work

🤖 Generated with Claude Code

kixelated and others added 2 commits April 8, 2026 19:41
The relay no longer requires the connection URL path to exactly match
or extend the token's root. Connecting to a parent path (e.g. "/" with
token root "demo") is now valid — permissions are scoped to the token's
root automatically. This simplifies client configuration since they
don't need to encode the root path in the connection URL.

Also updates the boy service to connect to /demo and use relative
prefixes, and documents the new connection path behavior.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
systemd doesn't expand $(cmd) in ExecStart — the JWT command
substitution was being passed literally as part of the URL.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Apr 9, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

This PR updates relay JWT authorization to allow bidirectional overlap between connection paths and token roots and centralizes permission scoping logic; adds async tests for the new cases. Documentation for connection-path semantics and key resolution was revised. Service and deployment artifacts were changed: the moq-boy systemd ExecStart and URL/path arguments were modified; several Justfiles now auto-generate tokens before deploy; README token instructions were simplified. CDN health/monitor scripts were changed to remove JWT-based query authentication and perform unauthenticated fetches.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title 'fix(moq-relay): allow connecting to parent of token root' directly describes the main change in the changeset—enabling clients to connect to parent paths of their token root, which is the primary objective of the PR.
Description check ✅ Passed The description is related to the changeset, covering the main feature (connecting to parent paths with scoped permissions), code simplification, systemd configuration fix, and documentation updates that align with the file modifications.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/relay-parent-root
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch fix/relay-parent-root

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Each subdirectory's `just deploy` now generates its own JWT token
from the root key, so only the root key needs manual setup.

- relay: generates cluster.jwt
- pub: generates demo-pub.jwt
- boy: generates demo-boy.jwt with correct root/permissions
- health checks use anonymous subscribe (no JWT needed)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@cdn/boy/boy.service.tftpl`:
- Line 14: Change the template so the raw JWT is no longer appended to the --url
query string; instead read the token from /var/lib/moq/demo-boy.jwt and send it
via an Authorization header or an env var (e.g. set BOY_JWT and use a --header
"Authorization: Bearer $(cat /var/lib/moq/demo-boy.jwt)" or add a --jwt-file
flag the binary can read) rather than embedding it in --url, and also update the
moq-boy connect logging (the code that currently logs %config.url) to redact or
strip query parameters before logging; specifically replace the usage of --url
with a header/env/jwt-file approach and sanitize %config.url in the logger.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c2bf51bd-90b9-4831-a8b1-35a5c9bf091b

📥 Commits

Reviewing files that changed from the base of the PR and between a012adc and ffff0b7.

📒 Files selected for processing (7)
  • cdn/README.md
  • cdn/boy/boy.service.tftpl
  • cdn/boy/justfile
  • cdn/common/monitor.sh
  • cdn/health.sh
  • cdn/pub/justfile
  • cdn/relay/justfile
✅ Files skipped from review due to trivial changes (1)
  • cdn/README.md

Comment thread cdn/boy/boy.service.tftpl
ExecStart=/var/lib/moq/pkg/bin/moq-boy \
--url "https://${domain}?jwt=$(cat /var/lib/moq/boy.jwt)" \
ExecStart=/bin/bash -c '/var/lib/moq/pkg/bin/moq-boy \
--url "https://${domain}/demo?jwt=$(cat /var/lib/moq/demo-boy.jwt)" \

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Avoid embedding raw JWT in the URL query string.

Line 14 injects the token into --url, which exposes it in process arguments and, with current moq-boy connect logging (rs/moq-boy/src/main.rs Line 249-255 logs %config.url), can leak the credential into journald. Please switch to a non-URL auth path (or minimally redact URL query in logs immediately).

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@cdn/boy/boy.service.tftpl` at line 14, Change the template so the raw JWT is
no longer appended to the --url query string; instead read the token from
/var/lib/moq/demo-boy.jwt and send it via an Authorization header or an env var
(e.g. set BOY_JWT and use a --header "Authorization: Bearer $(cat
/var/lib/moq/demo-boy.jwt)" or add a --jwt-file flag the binary can read) rather
than embedding it in --url, and also update the moq-boy connect logging (the
code that currently logs %config.url) to redact or strip query parameters before
logging; specifically replace the usage of --url with a header/env/jwt-file
approach and sanitize %config.url in the logger.

@kixelated kixelated merged commit ccb1601 into main Apr 9, 2026
2 checks passed
@kixelated kixelated deleted the fix/relay-parent-root branch April 9, 2026 03:26
This was referenced Apr 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant