lhumina_code/hero_embedder
23
0
Fork 0
Code Issues 1 Pull requests Projects Releases 1 Packages 1 Wiki Activity Actions

remove authentication from hero_embedder #14

New issue
Open
opened 2026-03-20 16:12:54 +00:00 by despiegk · 3 comments
despiegk commented 2026-03-20 16:12:54 +00:00
Owner
Copy link
 Running `target/debug/hero_embedder_server --start`

INFO: HERO_SECRET not set — RPC authentication disabled.

its all naked USD socket

see

/hero_crates_best_practices_check
and
/hero_proc_openrpc

Running `target/debug/hero_embedder_server --start` INFO: HERO_SECRET not set — RPC authentication disabled. its all naked USD socket see /hero_crates_best_practices_check and /hero_proc_openrpc
despiegk commented 2026-03-20 16:17:50 +00:00
Author
Owner
Copy link

Implementation Spec for Issue #14: remove authentication from hero_embedder

Objective

Remove all JWT/HERO_SECRET authentication logic from hero_embedder_server and its supporting library. The server runs exclusively on a Unix Domain Socket (UDS), so OS-level access controls provide the only security boundary needed.

Requirements

  1. Remove all JWT validation logic from the RPC handler — no conditional auth, no header inspection, no token validation.
  2. Remove the startup log message about HERO_SECRET.
  3. Remove the auth module from hero_embedder_lib entirely (file + module declaration).
  4. Remove the jsonwebtoken crate from all Cargo.toml files.
  5. Remove the dotenv crate (its only use was loading HERO_SECRET).
  6. Remove HERO_SECRET/HERO_AUTH_URL entries from .env.example and README.md.
  7. Delete docs/AUTHENTICATION.md and crates/hero_embedder_lib/tests/auth_test.sh.
  8. Code must compile cleanly with cargo check after changes.

Files to Modify/Create

  • crates/hero_embedder_server/src/main.rs — remove auth guard in jsonrpc_handler, startup log, validate_admin_from_headers function, JwtValidator import, headers param, dotenv::dotenv() call
  • crates/hero_embedder_lib/src/auth.rsDELETE entire file
  • crates/hero_embedder_lib/src/lib.rs — remove pub mod auth;
  • crates/hero_embedder_lib/Cargo.toml — remove jsonwebtoken and dotenv deps
  • crates/hero_embedder_server/Cargo.toml — remove dotenv dep
  • Cargo.toml (workspace root) — remove jsonwebtoken and dotenv workspace deps
  • docs/AUTHENTICATION.mdDELETE
  • crates/hero_embedder_lib/tests/auth_test.shDELETE
  • .env.example — remove HERO_SECRET and HERO_AUTH_URL entries
  • README.md — remove HERO_SECRET and HERO_AUTH_URL table rows

Implementation Plan

Step 1: Edit crates/hero_embedder_server/src/main.rs

  • Remove use auth::JwtValidator import
  • Delete validate_admin_from_headers function
  • Delete startup HERO_SECRET env check + log message
  • Delete auth guard block inside jsonrpc_handler
  • Remove headers: axum::http::HeaderMap parameter from jsonrpc_handler
  • Remove dotenv::dotenv().ok(); call from main()
    Dependencies: none

Step 2: Delete crates/hero_embedder_lib/src/auth.rs

  • Delete file entirely
    Dependencies: none (parallel with Step 1)

Step 3: Edit crates/hero_embedder_lib/src/lib.rs

  • Remove pub mod auth; line
    Dependencies: Step 2

Step 4: Edit all Cargo.toml files

  • Remove jsonwebtoken and dotenv from crates/hero_embedder_lib/Cargo.toml
  • Remove dotenv from crates/hero_embedder_server/Cargo.toml
  • Remove jsonwebtoken and dotenv workspace deps from root Cargo.toml
    Dependencies: none (parallel with Step 1 and 2)

Step 5: Delete docs and test files, update .env.example and README.md

  • Delete docs/AUTHENTICATION.md
  • Delete crates/hero_embedder_lib/tests/auth_test.sh
  • Remove HERO_SECRET/HERO_AUTH_URL from .env.example
  • Remove HERO_SECRET/HERO_AUTH_URL rows from README.md
    Dependencies: none (parallel)

Step 6: Verify compilation

  • Run cargo check --workspace
    Dependencies: Steps 1–5

Acceptance Criteria

  • cargo check --workspace passes with zero errors
  • No mention of HERO_SECRET anywhere in the repo
  • auth.rs deleted
  • docs/AUTHENTICATION.md deleted
  • RPC calls succeed without any Authorization header

Notes

  • The hero_embedder_proxy has a comment "// Step 3: Forward to upstream (pass through auth headers)" — no logic to remove, just an English comment. Can optionally simplify wording.
  • mcp_docs.html already states "No authentication required" — no changes needed.
  • openrpc.json files have no auth-related fields — no changes needed.
## Implementation Spec for Issue #14: remove authentication from hero_embedder ### Objective Remove all JWT/`HERO_SECRET` authentication logic from `hero_embedder_server` and its supporting library. The server runs exclusively on a Unix Domain Socket (UDS), so OS-level access controls provide the only security boundary needed. ### Requirements 1. Remove all JWT validation logic from the RPC handler — no conditional auth, no header inspection, no token validation. 2. Remove the startup log message about `HERO_SECRET`. 3. Remove the `auth` module from `hero_embedder_lib` entirely (file + module declaration). 4. Remove the `jsonwebtoken` crate from all `Cargo.toml` files. 5. Remove the `dotenv` crate (its only use was loading `HERO_SECRET`). 6. Remove `HERO_SECRET`/`HERO_AUTH_URL` entries from `.env.example` and `README.md`. 7. Delete `docs/AUTHENTICATION.md` and `crates/hero_embedder_lib/tests/auth_test.sh`. 8. Code must compile cleanly with `cargo check` after changes. ### Files to Modify/Create - `crates/hero_embedder_server/src/main.rs` — remove auth guard in `jsonrpc_handler`, startup log, `validate_admin_from_headers` function, `JwtValidator` import, `headers` param, `dotenv::dotenv()` call - `crates/hero_embedder_lib/src/auth.rs` — **DELETE entire file** - `crates/hero_embedder_lib/src/lib.rs` — remove `pub mod auth;` - `crates/hero_embedder_lib/Cargo.toml` — remove `jsonwebtoken` and `dotenv` deps - `crates/hero_embedder_server/Cargo.toml` — remove `dotenv` dep - `Cargo.toml` (workspace root) — remove `jsonwebtoken` and `dotenv` workspace deps - `docs/AUTHENTICATION.md` — **DELETE** - `crates/hero_embedder_lib/tests/auth_test.sh` — **DELETE** - `.env.example` — remove `HERO_SECRET` and `HERO_AUTH_URL` entries - `README.md` — remove `HERO_SECRET` and `HERO_AUTH_URL` table rows ### Implementation Plan #### Step 1: Edit `crates/hero_embedder_server/src/main.rs` - Remove `use auth::JwtValidator` import - Delete `validate_admin_from_headers` function - Delete startup `HERO_SECRET` env check + log message - Delete auth guard block inside `jsonrpc_handler` - Remove `headers: axum::http::HeaderMap` parameter from `jsonrpc_handler` - Remove `dotenv::dotenv().ok();` call from `main()` Dependencies: none #### Step 2: Delete `crates/hero_embedder_lib/src/auth.rs` - Delete file entirely Dependencies: none (parallel with Step 1) #### Step 3: Edit `crates/hero_embedder_lib/src/lib.rs` - Remove `pub mod auth;` line Dependencies: Step 2 #### Step 4: Edit all `Cargo.toml` files - Remove `jsonwebtoken` and `dotenv` from `crates/hero_embedder_lib/Cargo.toml` - Remove `dotenv` from `crates/hero_embedder_server/Cargo.toml` - Remove `jsonwebtoken` and `dotenv` workspace deps from root `Cargo.toml` Dependencies: none (parallel with Step 1 and 2) #### Step 5: Delete docs and test files, update `.env.example` and `README.md` - Delete `docs/AUTHENTICATION.md` - Delete `crates/hero_embedder_lib/tests/auth_test.sh` - Remove `HERO_SECRET`/`HERO_AUTH_URL` from `.env.example` - Remove `HERO_SECRET`/`HERO_AUTH_URL` rows from `README.md` Dependencies: none (parallel) #### Step 6: Verify compilation - Run `cargo check --workspace` Dependencies: Steps 1–5 ### Acceptance Criteria - [ ] `cargo check --workspace` passes with zero errors - [ ] No mention of `HERO_SECRET` anywhere in the repo - [ ] `auth.rs` deleted - [ ] `docs/AUTHENTICATION.md` deleted - [ ] RPC calls succeed without any `Authorization` header ### Notes - The `hero_embedder_proxy` has a comment "// Step 3: Forward to upstream (pass through auth headers)" — no logic to remove, just an English comment. Can optionally simplify wording. - `mcp_docs.html` already states "No authentication required" — no changes needed. - `openrpc.json` files have no auth-related fields — no changes needed.
despiegk commented 2026-03-20 16:40:44 +00:00
Author
Owner
Copy link

Implementation Complete

Changes Made

All authentication logic has been removed from hero_embedder.

Files modified:

  • crates/hero_embedder_server/src/main.rs — removed JwtValidator import, validate_admin_from_headers function, HERO_SECRET startup log, auth guard in jsonrpc_handler, headers param, and dotenv::dotenv() call
  • crates/hero_embedder_lib/src/lib.rs — removed pub mod auth; module declaration
  • crates/hero_embedder_lib/Cargo.toml — removed jsonwebtoken and dotenv dependencies
  • crates/hero_embedder_server/Cargo.toml — removed dotenv dependency
  • Cargo.toml (workspace root) — removed jsonwebtoken = "9" and dotenv = "0.15" workspace deps
  • README.md — removed HERO_SECRET and HERO_AUTH_URL rows from env vars table

Files deleted:

  • crates/hero_embedder_lib/src/auth.rs (entire JWT auth module)
  • docs/AUTHENTICATION.md
  • crates/hero_embedder_lib/tests/auth_test.sh
  • .env.example (was only HERO_SECRET/HERO_AUTH_URL, now empty and deleted)

Build Status

cargo check --workspace clean, zero errors, zero warnings

Result

The RPC server now accepts all requests on the Unix Domain Socket without any authentication checks. No HERO_SECRET environment variable is needed or consulted. The misleading startup log message is gone.

## Implementation Complete ### Changes Made All authentication logic has been removed from `hero_embedder`. **Files modified:** - `crates/hero_embedder_server/src/main.rs` — removed `JwtValidator` import, `validate_admin_from_headers` function, `HERO_SECRET` startup log, auth guard in `jsonrpc_handler`, `headers` param, and `dotenv::dotenv()` call - `crates/hero_embedder_lib/src/lib.rs` — removed `pub mod auth;` module declaration - `crates/hero_embedder_lib/Cargo.toml` — removed `jsonwebtoken` and `dotenv` dependencies - `crates/hero_embedder_server/Cargo.toml` — removed `dotenv` dependency - `Cargo.toml` (workspace root) — removed `jsonwebtoken = "9"` and `dotenv = "0.15"` workspace deps - `README.md` — removed `HERO_SECRET` and `HERO_AUTH_URL` rows from env vars table **Files deleted:** - `crates/hero_embedder_lib/src/auth.rs` (entire JWT auth module) - `docs/AUTHENTICATION.md` - `crates/hero_embedder_lib/tests/auth_test.sh` - `.env.example` (was only `HERO_SECRET`/`HERO_AUTH_URL`, now empty and deleted) ### Build Status `cargo check --workspace` — ✅ clean, zero errors, zero warnings ### Result The RPC server now accepts all requests on the Unix Domain Socket without any authentication checks. No `HERO_SECRET` environment variable is needed or consulted. The misleading startup log message is gone.
despiegk commented 2026-03-20 19:51:28 +00:00
Author
Owner
Copy link

State string fix committed: 02ec72e

The wait_for_healthy loop was checking for state "ok" which never exists in hero_proc (correct value is "running"). Similarly wait_for_halted checked for "halted" instead of "success"/"exited". This caused make run to always timeout even when the service started successfully.

Browse: 02ec72e

State string fix committed: `02ec72e` The `wait_for_healthy` loop was checking for state "ok" which never exists in hero_proc (correct value is "running"). Similarly `wait_for_halted` checked for "halted" instead of "success"/"exited". This caused `make run` to always timeout even when the service started successfully. Browse: https://forge.ourworld.tf/lhumina_code/hero_embedder/commit/02ec72e
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
development
main
v0.1.3
v0.1.2
v0.1.1
v0.1.0
v0.0.1-rc1
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/hero_embedder#14
No description provided.