Skip to content

[SECURITY][Wave 4 — DEFERRED] Role authz blocked on multi-user support #344

Description

@krisarmstrong

Severity: LOW (premature) · Wave 4 — DEFERRED

Correction (2026-05-29): role-based authorization on stem is premature and should wait for multi-user support.

Why defer

  1. stem is single-user. Credentials come from env (STEM_AUTH_USERNAME/STEM_AUTH_PASSWORD). There is exactly one principal — it is implicitly admin. Restricting "the only user" has no security value.
  2. UserStore exists but is unused. internal/auth/userstore.go defines a role-aware UserStore interface ("ported from seed") with MemoryUserStore, but auth never calls it — login validates against the env hash directly.
  3. "role" already means operating mode in stem. StemRole = reflector/test_master (RoleContext / RoleGuard / RoleChip across ~30 UI files). Adding user-permission "roles" now would collide with that established concept.

What to do instead

If multi-user lands later, the plan is:

  • Add Role/Permission to auth.Claims
  • Wire UserStore into login
  • requirePermission(min) middleware on destructive endpoints
  • Backfill the env user to admin

No action now.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions