Skip to content

Publish endpoint accepts entries without claims, creating invisible entries #726

@rdimitrov

Description

@rdimitrov

Problem

The POST /v1/entries publish endpoint has two related bugs in claims validation:

1. Claims not required when auth is enabled

The publish handler allows claims to be omitted from the request body even when
the caller is authenticated (JWT present). When authz is configured, an entry with
NULL claims is invisible to all non-super-admin users — the per-user filter
(checkClaims in claims_filter.go) returns false when recordJSON is empty.

This means publishing without claims silently creates a dead entry that no consumer
can discover through the registry API.

2. Claim consistency check has a nil gap

The mismatch guard on subsequent publishes of the same entry name uses:

if claimsJSON != nil && existing.Claims != nil {

This only fires when both the incoming request and the existing entry have
non-nil claims. The asymmetric cases are silently accepted:

  • First publish with claims, second publish without claims → no error
    (publisher gets 201, no signal anything is wrong)
  • First publish without claims, second publish with claims → no error
    (entry's claims remain NULL from the original insert)

In both cases the publisher receives a success response with no indication of the
inconsistency.

Expected behavior

  1. When authentication is enabled (JWT claims present in context), the claims
    field should be required on publish requests. Omitting it should return
    400 Bad Request.

  2. The claim consistency check should be symmetric — if one side has claims
    and the other doesn't, it should return 409 Conflict (ErrClaimsMismatch),
    forcing the publisher to be explicit.

Impact

  • Entries published without claims when authz is on become permanently invisible
    (except to super-admins)
  • The silent nil-gap means publishers get no feedback when claims are inconsistent
    across versions of the same entry name

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions