Smoke test: read back with a read-only personal API key (drop /auth/api-key)#3
Draft
szymeo wants to merge 1 commit into
Draft
Smoke test: read back with a read-only personal API key (drop /auth/api-key)#3szymeo wants to merge 1 commit into
szymeo wants to merge 1 commit into
Conversation
…d of /auth/api-key The backend is removing POST /auth/api-key (ingest-key -> full-account JWT escalation). The smoke test now reads back logs/metrics with a read-only personal API key (ldp_), identifying the project via /personal-api-keys/whoami. Needs a LOGDASH_PERSONAL_API_KEY secret.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The backend is removing
POST /auth/api-key, which traded a project ingest key for a 7-day full-account JWT — a privilege-escalation hole (an ingest credential, embedded in client SDKs, could mint account access). See logdash.io PR #246.What
The post-publish smoke test no longer escalates. It now reads back logs/metrics with a read-only personal API key (
ldp_…), and identifies the project from the key itself viaGET /personal-api-keys/whoami(access.ids[0]). Logs readback moves to the scoped/logs/v2endpoint.Required before this can pass (and before merge)
LOGDASH_PERSONAL_API_KEY= anldp_key scoped to the smoke-test project: scopeslogs:read+metrics:read, access restricted to that one project.The ingest key (
LOGDASH_API_KEY) still does the send half, unchanged. Kept as a draft until the backend is deployed and the secret is set.