Skip to content

fix(dev-server): inject service role token for unauthenticated function calls#516

Merged
yurynix merged 9 commits into
mainfrom
fix/dev-server-service-role-unauthenticated
Jun 4, 2026
Merged

fix(dev-server): inject service role token for unauthenticated function calls#516
yurynix merged 9 commits into
mainfrom
fix/dev-server-service-role-unauthenticated

Conversation

@yurynix
Copy link
Copy Markdown
Contributor

@yurynix yurynix commented May 10, 2026
edited by claude Bot
Loading

Note

Description

Fixes service-role authorization in the local dev server so asServiceRole works the same way it does in production. Previously the dev server only forwarded the callers own authorization header to functions, so unauthenticated callers (e.g. public-facing subscribe forms) could not perform privileged service-role operations. The dev server now always mints and injects a service-role JWT, and the RLS/FLS engine recognizes the service principal and bypasses access rules accordingly.

Related Issue

None

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)
  • Other (please describe):

Changes Made

  • Added auth/tokens.ts centralizing JWT minting: createJwtToken, createServiceAuthorizationHeader, SERVICE_ROLE_EMAIL (server@server.com), and isServiceSubject.
  • Function proxy (routes/functions.ts) now always injects a freshly-minted Base44-Service-Authorization service token instead of only forwarding the callers authorization header, mirroring production behavior so asServiceRole works for unauthenticated callers.
  • resolveCurrentUser (routes/entities/current-user.ts) resolves the service-role JWT subject to a synthetic admin SERVICE_USER with is_service: true.
  • RLS/FLS engine (db/rls.ts) short-circuits to allow when user.is_service === true; FLS now treats only undefined rules (not all falsy rules) as "no rule", so explicit false correctly denies normal users while service users bypass it.
  • Entity routes (entities-router.ts) let service users bypass an explicit false delete RLS rule, and align read filtering on !== undefined.
  • Refactored auth-router.ts to import the shared createJwtToken instead of defining its own, removing the duplicated LOCAL_DEV_SECRET.
  • Sorted CLI exports in cli/index.ts (lint fix).

Testing

  • I have tested these changes locally
  • I have added/updated tests as needed
  • All tests pass (npm test)

Checklist

  • My code follows the projects style guidelines
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (if applicable)
  • My changes generate no new warnings
  • I have updated docs/ (AGENTS.md) if I made architectural changes

Additional Notes

Added tests/cli/dev-rls.spec.ts covering service-user RLS/FLS bypass, and expanded tests/cli/dev.spec.ts with coverage for service-token injection on unauthenticated function calls. The service-role token is local-only and signed with the dev LOCAL_DEV_SECRET.

🤖 Generated by Claude | 2026-06-04 08:53 UTC | 3d325cb

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 10, 2026
edited
Loading

🚀 Package Preview Available!

Install this PR's preview build with npm:

npm i @base44-preview/cli@0.0.52-pr.516.3d325cb

Prefer not to change any import paths? Install using npm alias so your code still imports base44:

npm i "base44@npm:@base44-preview/cli@0.0.52-pr.516.3d325cb"

Or add it to your package.json dependencies:

{
  "dependencies": {
    "base44": "npm:@base44-preview/cli@0.0.52-pr.516.3d325cb"
  }
}

Preview published to npm registry — try new features instantly!

artemdemo
artemdemo reviewed May 11, 2026
View reviewed changes
Comment thread packages/cli/src/cli/dev/dev-server/routes/functions.ts Outdated
// unauthenticated callers (e.g. public-facing subscribe forms).
proxyReq.setHeader(
"Base44-Service-Authorization",
authorization ?? "Bearer base44-dev-service-token",
Copy link
Copy Markdown
Contributor

@artemdemo artemdemo May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not robust enough even for dev.
authorization is user authorization. It means that in case user is logged in locally with newly created user (also locally), then overall permissions will be limited. Which is not expected for server side authorization.

I think approach should be more robust than that.
I think Base44-Service-Authorization should be actual JWT, maybe simple solution will be to create token with email like server@server.com and then in the code check if email is "server" then allow everything. something like that

Copy link
Copy Markdown
Contributor

@artemdemo artemdemo May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same goes for Bearer base44-dev-service-token - this token will fail for code that relies on user being presented in JWT:

cli/packages/cli/src/cli/dev/dev-server/routes/entities/current-user.ts

Line 27 in bbc07f1

export async function resolveCurrentUser(

@yurynix yurynix force-pushed the fix/dev-server-service-role-unauthenticated branch from 55f4cdc to b24046f Compare June 1, 2026 14:22
yurynix and others added 9 commits June 4, 2026 11:51
@yurynix @claude
fix(dev-server): inject service role token for unauthenticated functi…
b4ed9c9 
…on calls

The function router only forwarded Base44-Service-Authorization when a
user Authorization header was present. Public-facing functions (e.g. a
subscribe form) are called without user auth, so asServiceRole threw
"Service token is required" before making any HTTP request.

In production, Base44 always injects the service role token when
forwarding requests to functions. Mirror that behaviour in the dev server
by defaulting to a synthetic dev token when no user auth header exists.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@yurynix @claude
test(dev-server): add test for service token injection on unauthentic…
41902b2 
…ated calls

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@yurynix
fix(test): cast response.json() to fix TS18046 type error
39981cf
@yurynix
fix(lint): wrap response.json() cast in parens for biome
3613c6f
@yurynix
fix(dev-server): use service role JWT locally
e7a8a41
@yurynix
fix(lint): sort cli exports
3b0dcbc
@yurynix
fix(ci): harden dev service-token tests
d103381
@yurynix
fix(ci): avoid deno dependency in service-token tests
59a3d96
@yurynix
Revert "fix(ci): avoid deno dependency in service-token tests"
33ab553 
This reverts commit dabbb52.
@yurynix yurynix force-pushed the fix/dev-server-service-role-unauthenticated branch from 5927473 to 33ab553 Compare June 4, 2026 08:52
@yurynix yurynix merged commit 28d3c78 into main Jun 4, 2026
17 of 18 checks passed
@yurynix yurynix deleted the fix/dev-server-service-role-unauthenticated branch June 4, 2026 10:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@artemdemo artemdemo artemdemo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yurynix @artemdemo