Problem
The POST /v1/entries publish endpoint has two related bugs in claims validation:
1. Claims not required when auth is enabled
The publish handler allows claims to be omitted from the request body even when
the caller is authenticated (JWT present). When authz is configured, an entry with
NULL claims is invisible to all non-super-admin users — the per-user filter
(checkClaims in claims_filter.go) returns false when recordJSON is empty.
This means publishing without claims silently creates a dead entry that no consumer
can discover through the registry API.
2. Claim consistency check has a nil gap
The mismatch guard on subsequent publishes of the same entry name uses:
if claimsJSON != nil && existing.Claims != nil {This only fires when both the incoming request and the existing entry have
non-nil claims. The asymmetric cases are silently accepted:
- First publish with claims, second publish without claims → no error
(publisher gets 201, no signal anything is wrong)
- First publish without claims, second publish with claims → no error
(entry's claims remain NULL from the original insert)
In both cases the publisher receives a success response with no indication of the
inconsistency.
Expected behavior
-
When authentication is enabled (JWT claims present in context), the claims
field should be required on publish requests. Omitting it should return
400 Bad Request.
-
The claim consistency check should be symmetric — if one side has claims
and the other doesn't, it should return 409 Conflict (ErrClaimsMismatch),
forcing the publisher to be explicit.
Impact
- Entries published without claims when authz is on become permanently invisible
(except to super-admins)
- The silent nil-gap means publishers get no feedback when claims are inconsistent
across versions of the same entry name
Problem
The
POST /v1/entriespublish endpoint has two related bugs in claims validation:1. Claims not required when auth is enabled
The publish handler allows
claimsto be omitted from the request body even whenthe caller is authenticated (JWT present). When authz is configured, an entry with
NULL claims is invisible to all non-super-admin users — the per-user filter
(
checkClaimsinclaims_filter.go) returnsfalsewhenrecordJSONis empty.This means publishing without claims silently creates a dead entry that no consumer
can discover through the registry API.
2. Claim consistency check has a nil gap
The mismatch guard on subsequent publishes of the same entry name uses:
This only fires when both the incoming request and the existing entry have
non-nil claims. The asymmetric cases are silently accepted:
(publisher gets 201, no signal anything is wrong)
(entry's claims remain NULL from the original insert)
In both cases the publisher receives a success response with no indication of the
inconsistency.
Expected behavior
When authentication is enabled (JWT claims present in context), the
claimsfield should be required on publish requests. Omitting it should return
400 Bad Request.The claim consistency check should be symmetric — if one side has claims
and the other doesn't, it should return
409 Conflict(ErrClaimsMismatch),forcing the publisher to be explicit.
Impact
(except to super-admins)
across versions of the same entry name