-
Notifications
You must be signed in to change notification settings - Fork 447
feat: local auth disabled mode and dev images #4325
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 5 commits
c1ce69f
e0eb1c0
31afe32
62f1aaf
afeb5fb
9e16f52
ad36f41
b398a8d
3160acb
1b90b11
7b91740
5ee5b2e
4a3f9cb
8190d2c
1239b41
b574633
a2621cf
f7b85f6
ee09f00
186511d
2801cf2
7e70b77
6f35c6a
955ceca
e84bee1
ddc7655
07fd6b9
89882df
be1d730
e3da4fe
898e04b
172c9df
f558c89
c0ad591
f5dfd4e
a36199c
afa0ead
6db028a
f3f18cf
819c13c
305d709
ed7d836
54b76a4
ed9477f
07c3852
d5c467e
a327291
7e954e8
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -51,6 +51,8 @@ func (a *AuthZ) authorize(c echo.Context, r *middleware.RouteInfo) error { | |
| var err error | ||
|
|
||
| switch c.Get("auth_strategy").(string) { | ||
| case "noauth": | ||
| err = a.validateUserTenantPermissions(c, r) | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this is interesting...so even in the case of no auth, if the "no-auth" user tries to access a tenant which they're not a member of, it'll fail? that seems like a good default actually, scopes the no-auth to a single tenant and user (not that anyone will/should run this in production, but still) |
||
| case "cookie": | ||
| err = a.handleCookieAuth(c, r) | ||
| case "bearer": | ||
|
|
||
|
mnafees marked this conversation as resolved.
|
Large diffs are not rendered by default.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| import { ExclamationTriangleIcon } from '@heroicons/react/24/outline'; | ||
|
|
||
| export function NoAuthBanner() { | ||
| return ( | ||
| <div | ||
| role="alert" | ||
| className="flex items-center justify-center gap-2 border-b border-red-300 bg-red-600 px-4 py-1.5 text-center text-sm font-medium text-white dark:border-red-800" | ||
| > | ||
| <ExclamationTriangleIcon className="h-4 w-4 flex-shrink-0" /> | ||
| Heads up: local no-auth mode is on, so there's no sign-in and every | ||
| request acts as the default admin. Great for local development, but please | ||
| don't use it in production. | ||
| </div> | ||
| ); | ||
| } |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,6 @@ | ||
| /// <reference types="next" /> | ||
| /// <reference types="next/image-types/global" /> | ||
| /// <reference path="./.next/types/routes.d.ts" /> | ||
|
|
||
| // NOTE: This file should not be edited | ||
| // see https://nextjs.org/docs/pages/building-your-application/configuring/typescript for more information. | ||
| // see https://nextjs.org/docs/pages/api-reference/config/typescript for more information. |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| import { Callout } from "nextra/components"; | ||
|
|
||
| # Local No-Auth Mode | ||
|
|
||
| No-auth mode disables authentication on the Hatchet dashboard and REST API so you can run a local instance without signing in or minting a bearer token for every request. It is intended purely for local development. | ||
|
|
||
| <Callout type="error" emoji="🚫"> | ||
| Never enable no-auth mode in production or on any instance reachable by | ||
| untrusted clients. It removes all authentication from the API and dashboard. | ||
| </Callout> | ||
|
|
||
| ## What it does | ||
|
|
||
| When enabled, no-auth mode resolves every unauthenticated dashboard and REST API request to the seeded admin user (`ADMIN_EMAIL`, default `admin@example.com`). Concretely: | ||
|
|
||
| - **Dashboard** loads without a login screen. | ||
| - **REST API** calls succeed without a bearer token or session cookie. The tenant is taken from the request URL, and the admin user is authorized against it exactly as a signed-in owner would be. | ||
| - A red banner is shown on every dashboard page while it is active. | ||
|
|
||
| ## What it does **not** change | ||
|
|
||
| The gRPC engine is unaffected. Workers and SDK clients still authenticate with an API token as usual, and **the token's tenant is authoritative**. This is deliberate: it means there are no surprises about which tenant a worker runs against. | ||
|
|
||
| So the usual multi-tenant flow works normally: | ||
|
|
||
| 1. Open the dashboard (no login required) and create a tenant. | ||
| 2. Create an API token in that tenant. | ||
| 3. Configure your worker or SDK client with that token — its workflows run in that tenant. | ||
|
|
||
| ## Enabling it | ||
|
|
||
| ### Hatchet CLI | ||
|
|
||
| Pass `--no-auth-mode` to `hatchet server start`: | ||
|
|
||
| ```sh | ||
| hatchet server start --no-auth-mode | ||
| ``` | ||
|
|
||
| ### Environment variable | ||
|
|
||
| Set the following on both the API and engine: | ||
|
|
||
| ```sh | ||
| SERVER_AUTH_NO_AUTH_ENABLED=true | ||
| ``` | ||
|
|
||
| This maps to `auth.noAuthEnabled` in the server config file. | ||
|
|
||
| ## Safety guarantees | ||
|
|
||
| No-auth mode is designed so it cannot be accidentally activated on a managed or production instance: | ||
|
|
||
| - It defaults to **off** and must be explicitly enabled. | ||
| - It is **ignored whenever a custom authenticator is configured** (as it always is on Hatchet Cloud), so it can never take effect there. | ||
| - The server logs a prominent warning on startup while it is enabled. |
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Uh oh!
There was an error while loading. Please reload this page.