You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(extensions): unify auth and configure into single entrypoint (#677)
* feat(extensions): unify auth and configure into single entrypoint
Refactors the extension lifecycle to eliminate the divergence between
chat and gateway paths that caused Telegram setup via chat to fail
(missing webhook secret auto-generation, no token validation).
Key changes:
- Rename save_setup_secrets() → configure(): single entrypoint for
providing secrets to any extension (WasmChannel, WasmTool, MCP).
Validates, stores, auto-generates, and activates.
- Add configure_token(): convenience wrapper for single-token callers
(chat auth card, WebSocket, agent auth mode).
- Refactor auth() to pure status check: remove token parameter,
delete token-storing branches from auth_mcp/auth_wasm_tool,
rename auth_wasm_channel → auth_wasm_channel_status.
- Add ConfigureResult/MissingSecret types for structured responses.
- Replace hardcoded Telegram token validation with generic
validation_endpoint from capabilities.json.
- Update all callers (9 files) to use the new interface.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: use ValidationFailed error variant instead of string matching
Replace brittle msg.contains("Invalid token") checks with a proper
ExtensionError::ValidationFailed variant. configure() now returns
this variant for token validation failures, and callers match on it
directly instead of parsing error message strings.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address review — SSRF protection, error typing, missing-secret selection, WS auth
1. SSRF: call validate_fetch_url() before validation_endpoint HTTP request
2. Transport errors map to ExtensionError::Other (not ValidationFailed)
3. configure_token() picks first *missing* secret, not first non-optional
4. WebSocket error path re-emits AuthRequired on ValidationFailed
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* test: add regression tests for extension lifecycle refactoring
- test_configure_token_picks_first_missing_secret: verifies multi-secret
channels can be configured one secret at a time (commit ce106f4)
- test_auth_is_read_only_for_wasm_channel: verifies auth() has no side
effects and doesn't store secrets (commit 47f8eb6)
- test_validation_failed_is_distinct_error_variant: verifies the typed
error variant can be pattern-matched (commit a318161)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: address review comments — activation dispatch, dead code, caps consolidation
- Fix configure() fallthrough bug: dispatch activation by ExtensionKind
instead of unconditionally calling activate_wasm_channel() for all
non-WasmTool types (MCP servers and channel relays now use their
correct activation methods)
- Remove dead MissingSecret struct and missing_secrets field (never
populated, flagged by reviewer)
- Consolidate capabilities file parsing in configure(): parse once
and reuse for allowed names, validation_endpoint, and auto-generation
- Fix auth() doc comment: note MCP OAuth side effects
- Fix stale save_setup_secrets reference in server.rs comment
- Add regression test for activation dispatch bug
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
0 commit comments