ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-14 01:50:39 +09:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #2866 from ergonaworks/fix/agent-auth-jwt-better-auth-secret-fallback

Browse source 
fix(agent-auth): fall back to BETTER_AUTH_SECRET when PAPERCLIP_AGENT_JWT_SECRET is absent
This commit is contained in:
Dotta 2026-04-07 21:49:28 -05:00 committed by GitHub
commit f55a5e557d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 22 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

21
server/src/__tests__/agent-auth-jwt.test.ts
View file

@ -3,12 +3,14 @@ import { createLocalAgentJwt, verifyLocalAgentJwt } from "../agent-auth-jwt.js";
describe("agent local JWT", () => {
const secretEnv = "PAPERCLIP_AGENT_JWT_SECRET";
const betterAuthSecretEnv = "BETTER_AUTH_SECRET";
const ttlEnv = "PAPERCLIP_AGENT_JWT_TTL_SECONDS";
const issuerEnv = "PAPERCLIP_AGENT_JWT_ISSUER";
const audienceEnv = "PAPERCLIP_AGENT_JWT_AUDIENCE";
const originalEnv = {
secret: process.env[secretEnv],
betterAuthSecret: process.env[betterAuthSecretEnv],
ttl: process.env[ttlEnv],
issuer: process.env[issuerEnv],
audience: process.env[audienceEnv],
@ -16,6 +18,7 @@ describe("agent local JWT", () => {
beforeEach(() => {
process.env[secretEnv] = "test-secret";
delete process.env[betterAuthSecretEnv];
process.env[ttlEnv] = "3600";
delete process.env[issuerEnv];
delete process.env[audienceEnv];
@ -26,6 +29,8 @@ describe("agent local JWT", () => {
vi.useRealTimers();
if (originalEnv.secret === undefined) delete process.env[secretEnv];
else process.env[secretEnv] = originalEnv.secret;
if (originalEnv.betterAuthSecret === undefined) delete process.env[betterAuthSecretEnv];
else process.env[betterAuthSecretEnv] = originalEnv.betterAuthSecret;
if (originalEnv.ttl === undefined) delete process.env[ttlEnv];
else process.env[ttlEnv] = originalEnv.ttl;
if (originalEnv.issuer === undefined) delete process.env[issuerEnv];
@ -57,6 +62,22 @@ describe("agent local JWT", () => {
expect(verifyLocalAgentJwt("abc.def.ghi")).toBeNull();
});
it("falls back to BETTER_AUTH_SECRET when PAPERCLIP_AGENT_JWT_SECRET is absent", () => {
delete process.env[secretEnv];
process.env[betterAuthSecretEnv] = "fallback-secret";
vi.setSystemTime(new Date("2026-01-01T00:00:00.000Z"));
const token = createLocalAgentJwt("agent-1", "company-1", "claude_local", "run-1");
expect(typeof token).toBe("string");
const claims = verifyLocalAgentJwt(token!);
expect(claims).toMatchObject({
sub: "agent-1",
company_id: "company-1",
adapter_type: "claude_local",
run_id: "run-1",
});
});
it("rejects expired tokens", () => {
process.env[ttlEnv] = "1";
vi.setSystemTime(new Date("2026-01-01T00:00:00.000Z"));

2
server/src/agent-auth-jwt.ts
View file

@ -26,7 +26,7 @@ function parseNumber(value: string | undefined, fallback: number) {
}
function jwtConfig() {
const secret = process.env.PAPERCLIP_AGENT_JWT_SECRET;
const secret = process.env.PAPERCLIP_AGENT_JWT_SECRET?.trim() || process.env.BETTER_AUTH_SECRET?.trim();
if (!secret) return null;
return {