Summary
The GrpcAuthnInterceptor.StreamServer entrypoint is security-critical but currently has no unit-test coverage. A regression there could silently allow unauthenticated access on all streaming RPCs, bypassing the JWT authentication hardening introduced in PR #685.
Severity: High — unauthenticated streaming calls are possible if StreamServer has a logic gap.
Work required
Add StreamServer test cases to internal/auth/grpc_authn_interceptor_test.go that mirror the existing unary cases:
- Rejects missing
Authorization header on a private (non-anonymous) method → Unauthenticated
- Rejects unsupported authorization scheme →
Unauthenticated
- Returns JWT validator error as a gRPC
Unauthenticated status, handler not invoked
- Rejects multiple
Authorization headers → Unauthenticated
- Allows anonymous methods without an
Authorization header
- Rejects invalid token on an anonymous method →
Unauthenticated
- Stores validated token in the stream context on success (
TokenFromContext)
Use NewGrpcAuthnInterceptor(), MakeTokenString/MakeTokenObject/TokenFromContext, and MockJwtValidator with a small fake grpc.ServerStream that injects metadata via metadata.NewIncomingContext.
References
Summary
The
GrpcAuthnInterceptor.StreamServerentrypoint is security-critical but currently has no unit-test coverage. A regression there could silently allow unauthenticated access on all streaming RPCs, bypassing the JWT authentication hardening introduced in PR #685.Severity: High — unauthenticated streaming calls are possible if
StreamServerhas a logic gap.Work required
Add
StreamServertest cases tointernal/auth/grpc_authn_interceptor_test.gothat mirror the existing unary cases:Authorizationheader on a private (non-anonymous) method →UnauthenticatedUnauthenticatedUnauthenticatedstatus, handler not invokedAuthorizationheaders →UnauthenticatedAuthorizationheaderUnauthenticatedTokenFromContext)Use
NewGrpcAuthnInterceptor(),MakeTokenString/MakeTokenObject/TokenFromContext, andMockJwtValidatorwith a small fakegrpc.ServerStreamthat injects metadata viametadata.NewIncomingContext.References