GoSec_Cloud/gscMy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(pam): key grants by gscSID, not NextAuth user.id

Browse Source 
The kit's session.user.id is a NextAuth UUID — opaque, per-session
plumbing. The canonical cross-service identity is the FreeIPA uid
exposed as `gscSid` in the kit session. Grants written by gscMy
must use that key so gscAdmin's authz lookup (which uses the
same gscSID-as-key convention) hits them.

- All /api/pam/* routes now require `user.gscSid` instead of `user.id`
- authz.hasRole/requireRole/hasAnyRole take `{gscSid,roles}` shape
- whoami debug endpoint now shows gscSid for verification
- New helper src/lib/session-helpers.ts:getGscsid() for callers

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Super User
2026-05-18 14:08:10 +02:00
parent cb85c1de7a
commit ccf601c178
9 changed files with 66 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
k8s/deployment.yaml
View File

@@ -31,7 +31,7 @@ spec:
spec:
containers:
- name: my-ui
image: registry.gosec.internal/gsc-my/ui:v0.1.2
image: registry.gosec.internal/gsc-my/ui:v0.1.3
imagePullPolicy: Always
ports:
- containerPort: 3000