Rework auth

[ScriptSmith]

Re-work the authentication to combine gateway and control plane endpoints, reduce options to 4:

• "none" - No authentication at all. For single-user local machine use. API keys can still be used for attributing cost etc, but are not required.
• "api_key" - Require a standard API key using one of the supported headers.
• "idp" - Require a session cookie obtained through the login flow, or a Bearer token. API keys can also be used, but are not required.
• "iap" - Use headers from the reverse proxy to authenticate. API keys can also be used, but are not required.
  idisyncracies

[Copilot]

Pull request overview

This PR reworks Hadrian’s authentication configuration and runtime logic to use a single global [auth.mode] across gateway + admin endpoints, removing legacy “gateway vs admin” auth split and pushing JWT/SSO validation toward per-organization registries.

Changes:

• Introduces unified auth mode config (none, api_key, idp, iap) and updates runtime auth plumbing accordingly (removing global OIDC authenticator and global JWT validator).
• Extends SSRF URL validation with options to allow private IP ranges (while always blocking cloud metadata), and threads these options through OIDC/JWKS discovery paths.
• Updates UI OpenAPI/docs/deploy examples and lockfile overrides to align with the new auth model and dependency security updates.

Reviewed changes

Copilot reviewed 51 out of 52 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
ui/src/api/openapi.json	Updates embedded API documentation/config examples for new [auth.mode] layout.
ui/pnpm-lock.yaml	Updates dependency overrides and lock entries (minimatch, serialize-javascript, etc.).
ui/package.json	Updates dependency overrides matching lockfile changes.
src/wizard.rs	Updates wizard output/config generation to emit [auth.mode] + related sections.
src/validation/url.rs	Adds UrlValidationOptions and validate_base_url_opts, expands SSRF rules + tests.
src/validation/mod.rs	Re-exports new URL validation API.
src/routes/ws.rs	Migrates WS auth to new auth config accessors and shared session validation.
src/routes/execution.rs	Updates test AppState initialization for removed fields.
src/routes/auth.rs	Removes global OIDC fallback; standardizes session config lookup and shared session store usage.
src/routes/api.rs	Updates comments to reference auth.mode.
src/routes/admin/ui_config.rs	Derives UI auth methods from AuthMode.
src/routes/admin/sso_connections.rs	Reports SSO connection info based on AuthMode (per-org SSO now).
src/routes/admin/sessions.rs	Removes global OIDC authenticator fallback for session store lookup.
src/routes/admin/session_info.rs	Reports session/auth mode info based on AuthMode.
src/routes/admin/org_sso_configs.rs	Uses new SSRF validation options and threads allow_private_urls into validation/registry updates.
src/routes/admin/mod.rs	Updates inline config examples to [auth.mode]/[auth.api_key]/[auth.session].
src/routes/admin/me_api_keys.rs	Uses api_key_config() for key generation prefix selection.
src/routes/admin/api_keys.rs	Uses api_key_config() for key generation prefix selection.
src/openapi.rs	Updates OpenAPI doc snippets for new auth config structure.
src/middleware/combined.rs	Refactors header auth flow to key off AuthMode; updates tests.
src/middleware/authz.rs	Updates documentation wording around “auth not configured”.
src/middleware/admin.rs	Switches admin auth to per-org registry/session store and updates SSRF options threading.
src/main.rs	Removes global OIDC/JWT validator from AppState; updates route wiring and startup logging.
src/config/server.rs	Adds allow_private_urls server option with docs/default.
src/config/mod.rs	Updates validation rules and feature checks for new auth mode + IAP safety checks.
src/config/auth.rs	Introduces AuthMode, IapConfig, and unified auth config accessors/validation/tests.
src/auth/session_store.rs	Updates config path references in session model docs.
src/auth/registry.rs	Loads only OIDC configs in OIDC registry initialization.
src/auth/oidc.rs	Threads allow_private through discovery/JWKS lookup.
src/auth/gateway_jwt.rs	Threads allow_private through per-org JWT registry building/lookup.
src/auth/discovery.rs	Uses validate_base_url_opts and threads allow_private for SSRF validation.
docs/content/docs/troubleshooting.mdx	Updates auth config examples to [auth.mode]/[auth.api_key].
docs/content/docs/security/index.mdx	Renames proxy auth to IAP and aligns examples with new mode model.
docs/content/docs/features/sso-admin-guide.mdx	Updates IdP/JWT requirements text to auth.mode = "idp".
docs/content/docs/features/multi-tenancy.mdx	Updates session config paths in docs.
docs/content/docs/configuration/auth.mdx	Major rewrite: documents unified auth modes, new sections, and removes legacy split.
docs/content/docs/authentication.mdx	Major rewrite: describes single [auth.mode] approach and updated scenarios.
docs/content/docs/api/authentication.mdx	Updates API auth doc to reflect per-org JWT routing via idp mode.
deploy/config/hadrian.university.toml	Updates example config to new auth mode + SSRF allow_private/allow_loopback notes.
deploy/config/hadrian.traefik.toml	Updates auth config sections to new layout.
deploy/config/hadrian.sqlite.toml	Updates auth config sections to new layout.
deploy/config/hadrian.sqlite-redis.toml	Updates auth config sections to new layout.
deploy/config/hadrian.saml.toml	Updates example config to idp mode and SSRF allow_private for Docker setups.
deploy/config/hadrian.redis-cluster.toml	Updates auth config sections to new layout.
deploy/config/hadrian.provider-health.toml	Updates auth config sections to new layout.
deploy/config/hadrian.production.toml	Updates auth config sections to new layout.
deploy/config/hadrian.postgres.toml	Updates auth config sections and IAP example to new layout.
deploy/config/hadrian.postgres-ha.toml	Updates auth config sections to new layout.
deploy/config/hadrian.observability.toml	Updates auth config sections to new layout.
deploy/config/hadrian.keycloak.toml	Updates example config to idp mode + allow_private/allow_loopback + new sections.
deploy/config/hadrian.dlq.toml	Updates auth config sections to new layout.
Dockerfile	Forces fresh main-crate rebuild by removing cached artifacts in the build stage.

Files not reviewed (1)

• ui/pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

AuthMode::ApiKey is documented as “API key required everywhere”, but requires_admin_auth() returns false for ApiKey, which causes admin routes to be mounted without admin_auth_middleware and logged as “UNPROTECTED”. Either update the docs/comments to match the intended behavior, or change requires_admin_auth() (and admin auth implementation) so api_key mode actually protects /admin/* as well.

[Copilot]

build_app treats api_key mode as “admin routes unprotected” because it gates protection on config.auth.requires_admin_auth(). This conflicts with the new auth-mode docs/UI behavior that suggest api_key mode should still require credentials to access admin/control-plane endpoints. If api_key is meant to protect admin routes, this should mount protected routes + middleware for ApiKey too (or otherwise enforce auth on /admin/*).

[Copilot]

try_oidc_session_auth now fetches the session directly and only checks absolute expiration. This bypasses the shared validate_and_refresh_session logic (inactivity timeout, last_activity refresh, etc.), so enhanced sessions may not behave correctly and idle sessions may remain valid longer than intended. Consider switching to validate_and_refresh_session(registry.session_store().as_ref(), session_id, &session_config.enhanced) and mapping its errors as needed.

[Copilot]

The OpenAPI description still states that the Public API “Requires API key authentication”, but this PR introduces multiple auth modes (none, idp, iap) where API keys may be optional or JWT/session/proxy headers can authenticate. The description should be updated to reflect the new auth.mode behavior so client developers don’t get misleading guidance.

[Copilot]

In try_authenticate, the AuthMode::None branch is documented as “optional auth (…don’t require it)”, but it returns Err(MissingCredentials) when no credentials are present. This makes it easy for callers to accidentally treat none mode as requiring auth (or to implement brittle “ignore MissingCredentials” logic). Consider changing the return type to Result<Option<AuthenticatedRequest>, AuthError> (return Ok(None) for truly unauthenticated requests), or at least aligning the docs/behavior so AuthMode::None doesn’t signal an error for the no-credentials case.

[greptile-apps]

Greptile Summary

This PR consolidates authentication from separate gateway and admin configurations into a unified mode system with four clear options: none (local dev), api_key (programmatic only), idp (full SSO + API keys), and iap (reverse proxy auth). The refactoring simplifies the auth architecture by removing the global OIDC/JWT validators in favor of per-organization SSO configurations.

Key Changes

• Unified auth mode: [auth.mode] replaces separate [auth.gateway] and [auth.admin] sections
• Per-org SSO only: Removed global OIDC authenticator, all SSO is now organization-scoped
• Shared session store: Session management consolidated across OIDC/SAML providers
• Format-based detection: In IdP mode, bearer tokens are routed to API key or JWT validation based on prefix
• Enhanced SSRF protection: Added allow_private flag for Docker/K8s while always blocking cloud metadata endpoint
• Bootstrap command: New CLI command for automated initial setup from config

Testing Recommendations

• Verify all auth modes work correctly in their intended environments
• Test that None mode properly handles both anonymous requests and optional API key validation
• Confirm IdP mode correctly rejects ambiguous credentials (simultaneous X-API-Key and Authorization headers)
• Validate that IAP mode requires trusted proxy configuration to prevent header spoofing
• Test the Bootstrap command in both dry-run and live modes

Confidence Score: 4/5

• This PR is safe to merge with careful testing of the new authentication modes in their target environments
• Large refactoring with extensive changes to authentication logic across 56 files. The consolidation from separate gateway/admin auth to unified modes is architecturally sound and well-documented. SSRF protections are properly maintained. However, the scope of changes affecting authentication and authorization requires thorough testing in all deployment scenarios (None, ApiKey, Idp, Iap modes) before production deployment
• Pay close attention to src/middleware/combined.rs and src/middleware/admin.rs for authentication flow validation across all modes

Important Files Changed

Filename	Overview
src/config/auth.rs	Replaced separate gateway/admin auth configs with unified AuthMode enum (None, ApiKey, Idp, Iap) and consolidated helper methods
src/middleware/combined.rs	Updated API middleware to use new AuthMode, added session cookie support for IdP mode, implemented format-based detection for API keys vs JWTs
src/middleware/admin.rs	Added API key admin auth for ApiKey mode, updated proxy auth to use IAP config, removed global OIDC authenticator dependency
src/main.rs	Removed global OIDC/JWT validators, added Bootstrap CLI command, updated route registration to use unified auth mode checks
src/routes/auth.rs	Removed global OIDC fallback - all SSO is now per-org, updated session management to use shared registry session store
src/validation/url.rs	Added allow_private option for Docker/K8s environments, cloud metadata endpoint (169.254.169.254) always blocked regardless of flags

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    Start[Incoming Request] --> CheckMode{Auth Mode?}
    
    CheckMode -->|None| CheckCreds{Has Credentials?}
    CheckCreds -->|No| AllowAnon[Allow Anonymous]
    CheckCreds -->|Yes| ValidateOptional[Validate API Key]
    ValidateOptional -->|Valid| AuthSuccess[Authenticated]
    ValidateOptional -->|Invalid| AuthFail[401 Unauthorized]
    
    CheckMode -->|ApiKey| ValidateKey[Validate API Key Required]
    ValidateKey -->|Valid| AuthSuccess
    ValidateKey -->|Invalid/Missing| AuthFail
    
    CheckMode -->|Idp| CheckDual{Both X-API-Key<br/>and Authorization?}
    CheckDual -->|Yes| Ambiguous[400 Ambiguous Credentials]
    CheckDual -->|No| TrySession[Try Session Cookie]
    TrySession -->|Valid| AuthSuccess
    TrySession -->|None| TryApiKeyOrJWT[Try API Key or JWT]
    TryApiKeyOrJWT -->|API Key Valid| AuthSuccess
    TryApiKeyOrJWT -->|JWT Valid| AuthSuccess
    TryApiKeyOrJWT -->|None/Invalid| AuthFail
    
    CheckMode -->|Iap| CheckProxy{From Trusted<br/>Proxy?}
    CheckProxy -->|No| ProxyFail[403 Forbidden]
    CheckProxy -->|Yes| TryIapHeaders[Try Identity Headers]
    TryIapHeaders -->|Valid| AuthSuccess
    TryIapHeaders -->|None| TryIapKey[Try API Key]
    TryIapKey -->|Valid| AuthSuccess
    TryIapKey -->|None/Invalid| AuthFail

Loading

_{Last reviewed commit: 68cccf9}

[Copilot]

Pull request overview

Copilot reviewed 55 out of 56 changed files in this pull request and generated 4 comments.

Files not reviewed (1)

• ui/pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

allow_private currently also permits IPv4 link-local addresses (169.254.0.0/16) except for the single metadata IP. Link-local is commonly blocked in SSRF defenses because it can still reach sensitive host/network services; folding it into allow_private makes it easy to over-relax SSRF protections unintentionally. Consider keeping link-local blocked by default even when allow_private is true, or introducing a separate allow_link_local flag with explicit docs and config naming.

[Copilot]

has_credentials checks the configured API key header name, but the later “credentials were provided but invalid” branch only checks literal "X-API-Key" / "Authorization". If a deployment uses a custom header (e.g. "Api-Key"), invalid credentials can be treated as “no credentials” and the request will incorrectly proceed anonymously. Use the configured header name consistently (and/or reuse has_credentials) when deciding whether to reject vs allow anonymous access.

[Copilot]

This production configuration sets auth.mode.type to "none", which disables all authentication for both API and admin endpoints. If an operator uses this file as-is, the gateway will run in production with completely unauthenticated access, allowing any unauthenticated user to invoke models and access admin functionality. Change auth.mode.type to a secure mode such as "api_key", "idp", or "iap" by default, and reserve "none" strictly for clearly-labeled development-only configs.

Suggested change

	type = "none"
	type = "api_key"
	# Note: Do NOT use auth.mode.type = "none" in production. Reserve it for clearly-marked
	# development-only configs if you need to disable authentication locally.

[Copilot]

This PostgreSQL HA production configuration sets auth.mode.type to "none", fully disabling authentication. Deploying this file as-is would expose all gateway and admin endpoints without any access control, enabling unauthorized access to data and model operations. Update the default to a secure mode like "api_key", "idp", or "iap", and ensure "none" is only used in explicitly development/test configurations.

Suggested change

	type = "none"
	type = "api_key"