alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(napi): wire NapiServerHandler through IdentityProvider and ForwardingPolicy

Browse Source 
NapiServerHandler was bypassing IdentityProvider, calling
config.auth.authenticate_publickey() directly, which meant no Identity
was stored on the session and per-identity forwarding rules could not
match. It also skipped ForwardingPolicy::check() entirely, defeating
forwarding access control for NAPI-served tunnels. Both are now
consistent with ServerHandler and SshHandler behavior.
This commit is contained in:
glm-5.1
2026-06-08 05:28:02 +00:00
parent eed3396705
commit 68728451a4
2 changed files with 73 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
tasks/cleanup/napi-identity-provider-wiring.md
View File

@@ -1,7 +1,7 @@
---
id: cleanup/napi-identity-provider-wiring
name: Fix NapiServerHandler to use IdentityProvider and ForwardingPolicy
status: pending
status: completed
depends_on:
- review/phase1-core-modifications
scope: moderate
@@ -47,4 +47,4 @@ The core `ServerHandler` and `SshHandler` both correctly use `IdentityProvider`
## Summary
> To be filled on completion
> NapiServerHandler now uses ConfigIdentityProvider for auth (resolving Identity via fingerprint) and evaluates ForwardingPolicy::check() in channel_open_direct_tcpip() with the authenticated identity and transport kind, consistent with ServerHandler and SshHandler. TransportKind is properly tracked per connection instead of using a string.