From 0fca23ca2573d2cfe4a4284b2bb8d0c9a950eaf5 Mon Sep 17 00:00:00 2001 From: user Date: Thu, 23 Apr 2026 20:49:17 -0400 Subject: [PATCH] fix(api-server): register pre-auth interceptors when only GRPC_SERVICE_ACCOUNT is set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The init() guard from #1452 required AMBIENT_API_TOKEN to be non-empty before registering gRPC pre-auth interceptors. On Stage, only GRPC_SERVICE_ACCOUNT is set (no AMBIENT_API_TOKEN), so the interceptors were never registered and the OIDC service caller logic was dead code. Evidence from Stage api-server startup logs — no bearer token init messages appear, confirming early return at line 27-29: I0423 23:54:22.927314 Enabling JWT authentication middleware (no "Service token auth enabled" or "OIDC service account" log) Fix: register interceptors when either env var is set. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- .../ambient-api-server/pkg/middleware/bearer_token.go | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/components/ambient-api-server/pkg/middleware/bearer_token.go b/components/ambient-api-server/pkg/middleware/bearer_token.go index b8501776e..d7dc15cf9 100644 --- a/components/ambient-api-server/pkg/middleware/bearer_token.go +++ b/components/ambient-api-server/pkg/middleware/bearer_token.go @@ -24,12 +24,14 @@ var httpBypassPaths = map[string]bool{ func init() { token := os.Getenv(ambientAPITokenEnv) - if token == "" { - glog.Infof("Service token auth disabled: %s not set", ambientAPITokenEnv) + serviceAccount := os.Getenv(grpcServiceAccountEnv) + if token == "" && serviceAccount == "" { + glog.Infof("Service token auth disabled: neither %s nor %s set", ambientAPITokenEnv, grpcServiceAccountEnv) return } - serviceAccount := os.Getenv(grpcServiceAccountEnv) - glog.Infof("Service token auth enabled via %s (gRPC only)", ambientAPITokenEnv) + if token != "" { + glog.Infof("Service token auth enabled via %s (gRPC only)", ambientAPITokenEnv) + } if serviceAccount != "" { glog.Infof("OIDC service account username: %s", serviceAccount) }