Skip to content

[Auth] Enhance secret token handling with user ID filtering #9154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
liranbg merged 8 commits into from
Jan 5, 2026
Merged

[Auth] Enhance secret token handling with user ID filtering #9154

liranbg merged 8 commits into from
Jan 5, 2026

Conversation

@liranbg
Copy link
Member

@liranbg liranbg commented Jan 4, 2026

📝 Description

This update introduces the ability to filter secret tokens based on the authenticated user ID. The load_and_prepare_secret_tokens function now accepts an optional auth_user_id parameter, allowing for more granular control over which tokens are loaded.

🛠️ Changes Made

  • Modified load_and_prepare_secret_tokens to accept auth_user_id and filter tokens accordingly.
  • Added a new method get_jwt_subject to extract the 'sub' claim from JWT tokens.
  • Updated the sync_secret_tokens function to utilize the authenticated user ID when loading secret tokens.
  • Enhanced unit tests to cover the new filtering behavior based on user ID.

✅ Checklist

  • I updated the documentation (if applicable)
  • I have tested the changes in this PR
  • I confirmed whether my changes are covered by system tests
    • If yes, I ran all relevant system tests and ensured they passed before submitting this PR
    • I updated existing system tests and/or added new ones if needed to cover my changes
  • If I introduced a deprecation:

🧪 Testing

with/without tokens belong to my user

🔗 References

🚨 Breaking Changes?

  • Yes (explain below)
  • No

🔍️ Additional Notes

@liranbg liranbg requested review from a team and moranbental as code owners January 4, 2026 13:22
liranbg added 2 commits January 4, 2026 16:15
@liranbg
- Introduced a context manager _mock_httpdb_connect in `test_httpdb…
06e63a5 
….py` to streamline the mocking of HTTPRunDB connection flow for OAuth tests, enhancing test maintainability and clarity.
@liranbg
fmt
7aca80f
elbamit
elbamit reviewed Jan 4, 2026
View reviewed changes
Copy link
Contributor

@elbamit elbamit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#8823
Please see this PR, it does the same thing at a different place. You can maybe use your function there

@liranbg liranbg requested a review from elbamit January 4, 2026 17:56
elbamit
elbamit reviewed Jan 5, 2026
View reviewed changes
mlrun/auth/utils.py
return secret_tokens


def validate_secret_tokens(
Copy link
Contributor

@elbamit elbamit Jan 5, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

validate_secret_tokens checks for:

  • name existence
  • token existence
  • sub = user
  • looks for duplicates

extract_and_validate_tokens_info checks for:

  • name existence
  • sub existence
  • exp existence
  • sub = user
  • looks for duplicates

I think they can be merged into a single function.

If we do decide to keep it separate, let's rename it since it doesn't do just validation, but it actually filters the list of tokens.

Copy link
Member Author

@liranbg liranbg Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will do it on a following pr

elbamit
elbamit approved these changes Jan 5, 2026
View reviewed changes
Copy link
Contributor

@elbamit elbamit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

@liranbg liranbg merged commit 92d09ca into mlrun:development Jan 5, 2026
13 checks passed
@liranbg liranbg mentioned this pull request Jan 5, 2026
Merged
10 tasks
liranbg added a commit that referenced this pull request Jan 5, 2026
@liranbg
[Auth] Unified validation functions (#9158)
b7cee4c 
### 📝 Description

Follow-up to #9154. Refactors secret token validation by removing the
standalone `validate_secret_tokens` function and unifying validation
logic into `extract_and_validate_tokens_info`.

---

### 🛠️ Changes Made

- Removed redundant `validate_secret_tokens` function from
`mlrun/auth/utils.py`
- Unified token validation into `extract_and_validate_tokens_info` with
a new `filter_by_authenticated_id` parameter
- Updated `load_and_prepare_secret_tokens` to use the unified validation
function
- Updated tests to reflect the refactored validation logic

---

### ✅ Checklist
- [ ] I updated the documentation (if applicable)
- [x] I have tested the changes in this PR
- [ ] I confirmed whether my changes are covered by system tests
- [ ] If yes, I ran all relevant system tests and ensured they passed
before submitting this PR
- [ ] I updated existing system tests and/or added new ones if needed to
cover my changes
- [ ] If I introduced a deprecation:
  - [ ] I followed the [Deprecation Guidelines](./DEPRECATION.md)
  - [ ] I updated the relevant Jira ticket for documentation

---

### 🧪 Testing

- Unit tests updated to cover the refactored validation logic
- Tests verify token filtering by authenticated user ID with the new
`filter_by_authenticated_id` parameter

---

### 🔗 References
- Ticket link: N/A
- Related PR: #9154

---

### 🚨 Breaking Changes?

- [ ] Yes (explain below)
- [x] No

---

### 🔍️ Additional Notes
This is a code cleanup PR that consolidates duplicate validation logic
introduced in #9154.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@elbamit elbamit elbamit approved these changes

@moranbental moranbental Awaiting requested review from moranbental moranbental is a code owner

Assignees

No one assigned

Labels

area/api area/sdk area/server area/tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@liranbg @elbamit