Auth patch

[brucetony]

Keep internal token fetching internal (within k8s)

Summary by CodeRabbit

• Refactor

  • Improved internal service authentication flow and how internal token endpoints are resolved for more consistent and reliable auth header injection.

• Tests

  • Updated and expanded tests covering internal token retrieval and OIDC configuration validation to ensure the new auth behavior is correctly exercised.

[coderabbitai]

Warning

Rate limit exceeded

@brucetony has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 18 minutes and 23 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 18 minutes and 23 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 97ad575b-345c-47cf-9612-1a3574024922

📥 Commits

Reviewing files that changed from the base of the PR and between 45a4862 and 2ff63a2.

📒 Files selected for processing (4)

• hub_adapter/autostart.py
• hub_adapter/integration_test.py
• hub_adapter/routers/kong.py
• hub_adapter/routers/meta.py

📝 Walkthrough

Walkthrough

refactors internal token retrieval: _get_internal_token no longer accepts an oidc_config parameter and derives the service token endpoint from get_svc_oidc_config().token_endpoint; outbound request now uses a direct httpx.post to that endpoint. Tests and test constants updated to use the full /protocol/openid-connect/token endpoints and TEST_SVC_URL.

Changes

Cohort / File(s)	Summary
Core auth refactor hub_adapter/auth.py	Removed oidc_config parameter from _get_internal_token; now calls get_svc_oidc_config().token_endpoint and issues the token request via httpx.post (replaced httpx.Client+SSL-context usage). Updated header construction to return Authorization: Bearer <jwt>.
Test constants tests/constants.py	Rewrote token_endpoint values for TEST_OIDC and TEST_SVC_OIDC (and corresponding response dicts) to "{issuer}/protocol/openid-connect/token" instead of the base issuer URL.
Test fixtures tests/conftest.py	Changed test Settings fallback to set node_svc_oidc_url=TEST_SVC_URL and added TEST_SVC_URL import.
Test cases tests/test_auth.py, tests/test_oidc.py	test_get_internal_token now patches get_svc_oidc_config and calls _get_internal_token(test_settings) without an OIDC arg; mocks use TEST_SVC_OIDC.token_endpoint. test_basic_oidc_fetching reordered to assert mismatch then match scenarios with updated settings.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Add routine to ensure k8s svc URL used for internal token retrieval #153: Changes service OIDC endpoint handling and token retrieval logic; strongly related to this refactor of internal token endpoint usage.

Poem

🐰 I hopped to the token path today,

No extra config in the way,
Settings point the route so grand,
A bearer header in my hand—
Hooray for clearer hops and play!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Auth patch' is vague and generic, using a non-descriptive term that does not convey the specific nature or primary objective of the changeset.	Consider a more descriptive title such as 'Refactor internal token fetching to use configured endpoints' or 'Use provided OIDC endpoints for internal token instead of hardcoded' to clearly reflect the main change.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch auth-patch

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@hub_adapter/auth.py`:
- Line 163: The signature of _get_internal_token was changed to remove the
oidc_config parameter, but existing callers still pass (oidc_config, settings)
causing a TypeError; either update each caller to call
_get_internal_token(settings) (remove the oidc_config argument) where referenced
(e.g., callers in modules that invoke _get_internal_token) or add a short
compatibility shim named _get_internal_token that accepts (oidc_config,
settings) and forwards to the new async _get_internal_token(settings) (ignoring
or extracting what’s needed from oidc_config) so existing call sites keep
working until callers are updated.
- Around line 173-175: The code assumes settings.node_svc_oidc_url is always the
issuer base and blindly appends "/protocol/openid-connect/token" to build
int_token_ep; instead detect and normalize the issuer: if node_svc_oidc_url
contains "/.well-known/" take the substring before "/.well-known/" as the
issuer, otherwise use node_svc_oidc_url.rstrip('/'), then build int_token_ep =
issuer + "/protocol/openid-connect/token" and use that for httpx.post; update
references near int_token_ep, node_svc_oidc_url, and the httpx.post call to use
the normalized issuer.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 786ed00a-8103-4970-af64-ba72f3ec651b

📥 Commits

Reviewing files that changed from the base of the PR and between 57f5888 and 7f999e5.

📒 Files selected for processing (5)

• hub_adapter/auth.py
• tests/conftest.py
• tests/constants.py
• tests/test_auth.py
• tests/test_oidc.py