Default anonymous authentication #2914

dmartinol · 2025-12-05T10:03:27Z

Adda a default anonymous authentication until the operator consistently manages this aspect.

codecov · 2025-12-05T10:06:19Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.26%. Comparing base (b15418b) to head (2aec274).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2914   +/-   ##
=======================================
  Coverage   56.26%   56.26%           
=======================================
  Files         324      324           
  Lines       31897    31900    +3     
=======================================
+ Hits        17947    17950    +3     
  Misses      12420    12420           
  Partials     1530     1530

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Signed-off-by: Daniele Martinoli <dmartino@redhat.com>

slyt3 · 2025-12-05T13:46:40Z

Hey, was reading through the code and spotted something weird.

You have this default config that sets auth to anonymous:

config := Config{
    Auth: &AuthConfig{
        Mode: AuthModeAnonymous,
    },
}

But up in the AuthMode comments it says it defaults to oauth for "security-by-default". So there's a mismatch between what the docs say and what actually happens.

anyone who deploys this without thinking about auth config will be running wide open.

Default to oauth and only go anonymous if someone explicitly sets it in the config? people have to consciously choose the insecure option instead of accidentally getting it.

Might be missing context on why its like this though

ChrisJBurns

Thanks for doing this @dmartinol as it was getting tiring having to manually edit the config configmap. Although I think if we do add this change we'd need to enable it on the CRD too, because if we specify default of anonymous, we aren't giving users a way of providing oauth. So we should probably allow for the full auth config if we do have it in the operator

cmd/thv-operator/pkg/registryapi/config/config.go

dmartinol · 2025-12-05T17:21:17Z

Thanks for doing this @dmartinol as it was getting tiring having to manually edit the config configmap. Although I think if we do add this change we'd need to enable it on the CRD too, because if we specify default of anonymous, we aren't giving users a way of providing oauth. So we should probably allow for the full auth config if we do have it in the operator

This reminds me of another issue I've found: if you manually edit the config configmap the operator should reconcile it back to the (errored) state, but this doesn't happen.

dmartinol · 2025-12-05T17:24:36Z

Hey, was reading through the code and spotted something weird.

You have this default config that sets auth to anonymous:
config := Config{
    Auth: &AuthConfig{
        Mode: AuthModeAnonymous,
    },
}
But up in the AuthMode comments it says it defaults to oauth for "security-by-default". So there's a mismatch between what the docs say and what actually happens.

anyone who deploys this without thinking about auth config will be running wide open.

Default to oauth and only go anonymous if someone explicitly sets it in the config? people have to consciously choose the insecure option instead of accidentally getting it.

Might be missing context on why its like this though

Hey @slyt3 , you are right: I copied only the minimal data types from the equivalent configuration types in the toolhive-registry-server project, to avoid managing the entire oidc stack.
As I replied before, I expect the feature will be completed to make it consistent with the server design, but this was not the goal of this PR.

TL;DR: I'm not forcing anyone to merge this PR, but without this fix the registry server won't start.

github-actions bot added the size/XS Extra small PR: < 100 lines changed label Dec 5, 2025