fix(moq-relay): allow connecting to parent of token root#1247
Conversation
The relay no longer requires the connection URL path to exactly match or extend the token's root. Connecting to a parent path (e.g. "/" with token root "demo") is now valid — permissions are scoped to the token's root automatically. This simplifies client configuration since they don't need to encode the root path in the connection URL. Also updates the boy service to connect to /demo and use relative prefixes, and documents the new connection path behavior. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
systemd doesn't expand $(cmd) in ExecStart — the JWT command substitution was being passed literally as part of the URL. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
WalkthroughThis PR updates relay JWT authorization to allow bidirectional overlap between connection paths and token roots and centralizes permission scoping logic; adds async tests for the new cases. Documentation for connection-path semantics and key resolution was revised. Service and deployment artifacts were changed: the 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Each subdirectory's `just deploy` now generates its own JWT token from the root key, so only the root key needs manual setup. - relay: generates cluster.jwt - pub: generates demo-pub.jwt - boy: generates demo-boy.jwt with correct root/permissions - health checks use anonymous subscribe (no JWT needed) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@cdn/boy/boy.service.tftpl`:
- Line 14: Change the template so the raw JWT is no longer appended to the --url
query string; instead read the token from /var/lib/moq/demo-boy.jwt and send it
via an Authorization header or an env var (e.g. set BOY_JWT and use a --header
"Authorization: Bearer $(cat /var/lib/moq/demo-boy.jwt)" or add a --jwt-file
flag the binary can read) rather than embedding it in --url, and also update the
moq-boy connect logging (the code that currently logs %config.url) to redact or
strip query parameters before logging; specifically replace the usage of --url
with a header/env/jwt-file approach and sanitize %config.url in the logger.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: c2bf51bd-90b9-4831-a8b1-35a5c9bf091b
📒 Files selected for processing (7)
cdn/README.mdcdn/boy/boy.service.tftplcdn/boy/justfilecdn/common/monitor.shcdn/health.shcdn/pub/justfilecdn/relay/justfile
✅ Files skipped from review due to trivial changes (1)
- cdn/README.md
| ExecStart=/var/lib/moq/pkg/bin/moq-boy \ | ||
| --url "https://${domain}?jwt=$(cat /var/lib/moq/boy.jwt)" \ | ||
| ExecStart=/bin/bash -c '/var/lib/moq/pkg/bin/moq-boy \ | ||
| --url "https://${domain}/demo?jwt=$(cat /var/lib/moq/demo-boy.jwt)" \ |
There was a problem hiding this comment.
Avoid embedding raw JWT in the URL query string.
Line 14 injects the token into --url, which exposes it in process arguments and, with current moq-boy connect logging (rs/moq-boy/src/main.rs Line 249-255 logs %config.url), can leak the credential into journald. Please switch to a non-URL auth path (or minimally redact URL query in logs immediately).
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@cdn/boy/boy.service.tftpl` at line 14, Change the template so the raw JWT is
no longer appended to the --url query string; instead read the token from
/var/lib/moq/demo-boy.jwt and send it via an Authorization header or an env var
(e.g. set BOY_JWT and use a --header "Authorization: Bearer $(cat
/var/lib/moq/demo-boy.jwt)" or add a --jwt-file flag the binary can read) rather
than embedding it in --url, and also update the moq-boy connect logging (the
code that currently logs %config.url) to redact or strip query parameters before
logging; specifically replace the usage of --url with a header/env/jwt-file
approach and sanitize %config.url in the logger.
Summary
/with token rootdemo). Permissions are automatically scoped to the token's root.scopeclosure for subscribe/publish filtering./bin/bash -cfor shell expansion inExecStart(systemd doesn't expand$(cmd)).Test plan
🤖 Generated with Claude Code