Skip to content

Require at least one auth #244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jul 3, 2025
Merged

Require at least one auth #244

merged 6 commits into from
Jul 3, 2025

Conversation

ajmirsky
Copy link
Collaborator

Changes included in this PR

#187

Current behavior

If in a legacy (entrypoint) configuration, the auth plugin list is explicitly declared empty or in the config file-base plugin loading, no BaseAuthPlugin was included (or could provide a positive authentication), the broker would still allow clients to connect via anonymous authentication.

New behavior

In order for a broker to allow access, it must be configured with at least one BaseAuthPlugin which can positively authenticate a client session.

Impact

While a security risk, the legacy behavior of omitting the auth plugin 'filter' in the configuration still allows anonymous clients to connect to the broker.

Checklist

  1. Does your submission pass the existing tests?
  2. Are there new tests that cover these additions/changes?
  3. Have you linted your code locally before submission?

ajmirsky added 3 commits June 29, 2025 18:29
@ajmirsky
fix missing auth plugin
ecdfd0a
@ajmirsky
Merge branch 'migrate_existing_plugins' into require_at_least_one_auth
4b99a17
@ajmirsky
fixes Yakifo#187 : explicitly declaring auth plugins as an empty list…
ee7250c 
… (entry points configuration style) or not including a BaseAuthPlugin in loaded plugins, still allowed clients to connect to broker. security risk as explicit omission (former) or inadvertent omission (latter) might allow anonymous connections
@ajmirsky ajmirsky added this to the 0.11.2 milestone Jun 30, 2025
HerrMuellerluedenscheid
HerrMuellerluedenscheid approved these changes Jul 3, 2025
View reviewed changes
Copy link
Contributor

@HerrMuellerluedenscheid HerrMuellerluedenscheid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice logic cleanup 👍

@ajmirsky ajmirsky self-assigned this Jul 3, 2025
@ajmirsky ajmirsky merged commit 6b606f0 into Yakifo:0.11.2-rc Jul 3, 2025
7 checks passed
@ajmirsky ajmirsky deleted the require_at_least_one_auth branch July 3, 2025 15:21
ajmirsky added a commit to ajmirsky/amqtt that referenced this pull request Jul 10, 2025
@ajmirsky
Merge pull request Yakifo#244 from ajmirsky/require_at_least_one_auth
e28a6ba 
Require at least one auth
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HerrMuellerluedenscheid HerrMuellerluedenscheid HerrMuellerluedenscheid approved these changes

Assignees

@ajmirsky ajmirsky

Labels
None yet
Projects
None yet
Milestone
0.11.2
Development

Successfully merging this pull request may close these issues.
2 participants
@ajmirsky @HerrMuellerluedenscheid