Skip to content

fix(auth): scope org tools to the caller and document the auth flow#182

Open
annextuckner wants to merge 12 commits into
mainfrom
fix/auth-org-scoping-and-docs
Open

fix(auth): scope org tools to the caller and document the auth flow#182
annextuckner wants to merge 12 commits into
mainfrom
fix/auth-org-scoping-and-docs

Conversation

@annextuckner

@annextuckner annextuckner commented Jun 5, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

What this changes

Tightens authentication in HTTP mode and documents the auth flow for the org-scoped tools.

  • Scope org tools to the caller, not the deploy key (52a87e8). In HTTP mode, organization-aware tools now resolve the caller's own token from the Authorization: Bearer header instead of falling back to the operator's boot-time deploy key. Stdio mode is unchanged. Covered by new tests in test/http-server.test.ts and test/server.test.ts.
  • Document the org-scoped tools and the SOCKET_API_TOKEN / SOCKET_API_KEY auth flow (9b78353). Adds the tool reference and the per-mode authentication guidance to README.md and docs/claude.md/repo/architecture.md.

Auth model after this change

  • Stdio mode: the local user's SOCKET_API_TOKEN authenticates every tool.
  • HTTP mode: org-scoped tools use the caller's bearer token (or OAuth); they no longer borrow the operator's deploy key.

Testing

pnpm test — new HTTP-server and server cases assert the caller-scoped behavior.

@annextuckner
docs: document org-scoped tools and SOCKET_API_KEY auth flow
9b78353 
Add README reference entries for the organizations, alerts, threat_feed,
package_files, package_file_contents, and package_file_grep tools, plus an
authentication section and a worked organizations -> alerts example. Mirror
the tool inventory in the architecture doc.
@annextuckner
fix(auth): scope org tools to the caller, not the deploy key in HTTP …
52a87e8 
…mode

The organizations, alerts, threat_feed, and package_files tools resolved
their Socket token through resolveAuthToken, which falls back to the
boot-time static key. In HTTP mode that key is the deploy operator's, so a
shared/hosted server answered every caller's org lookup with the operator's
private organizations, alerts, and threat feed.

Split the resolver: resolveScopedAuthToken (per-tenant tools) returns the
per-request token, and only falls back to the static key when it is the
local user's own (stdio mode); in HTTP mode it returns undefined so the tool
emits the auth-required error. setStaticApiKey now records whether the key is
shared (HTTP) or user-owned (stdio). Non-OAuth HTTP mode reads the caller's
Authorization: Bearer token into req.auth so per-tenant tools act on the
caller's behalf. depscore keeps the public static fallback since package
scores are not tenant-scoped.
@annextuckner
docs: drop legacy-alias note from auth-required message
269acc0
@annextuckner
style: format README with oxfmt
d718248
jdalton
John-David Dalton (jdalton) reviewed Jun 6, 2026
View reviewed changes
Comment thread README.md Outdated
@socket-security

socket-security Bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addeduntracked@​1.6.07210010093100
Addedrolldown@​1.1.0951007899100
Addedregjsparser@​0.13.11001008581100

View full report

@socket-security-staging

socket-security-staging Bot commented Jun 10, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addeduntracked@​1.6.07210010094100
Addedrolldown@​1.1.0951007899100

View full report

@socket-security-staging

socket-security-staging Bot commented Jun 10, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Medium
Low adoption: npm untracked

Location: Package overview

From: package.jsonnpm/untracked@1.6.0

ℹ Read more on: This package | This alert | What are unpopular packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Unpopular packages may have less maintenance and contain other problems.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore npm/untracked@1.6.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdalton John-David Dalton (jdalton) jdalton left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@annextuckner @jdalton