fix: harden auth schemes (server-assigned principal, opaque jwt errors) (#67 #71 #72)

nficano · cursoragent · nficano · commit 6024cf49d2a7 · 2026-06-11T22:12:48.000-04:00
NoneAuth now always returns the configured default principal and ignores
the untrusted PeerInfo principal, closing a per-principal isolation bypass.
JwtAuth returns an opaque rejection reason and logs the underlying decode
error server-side so trust material is not leaked to the peer. AuthRouter's
reserved-scheme list is hoisted to a named constant.

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/src/Auth/AuthRouter.php b/src/Auth/AuthRouter.php
@@ -15,6 +15,14 @@
  */
 final class AuthRouter
 {
+    /**
+     * Schemes reserved by RFC §8.2 but not yet implemented; presenting one
+     * surfaces UNIMPLEMENTED rather than a generic unknown-scheme rejection.
+     *
+     * @var list<string>
+     */
+    private const array RESERVED_SCHEMES = ['mtls', 'oauth2'];
+
     /** @var array<string, AuthScheme> */
     private array $schemes = [];
 
@@ -35,7 +43,7 @@ public function verify(Auth $auth, PeerInfo $client): AuthResult
     {
         if (!isset($this->schemes[$auth->scheme])) {
             // mTLS and OAuth2 are reserved (RFC §8.2) but unimplemented in v0.1.
-            if (\in_array($auth->scheme, ['mtls', 'oauth2'], true)) {
+            if (\in_array($auth->scheme, self::RESERVED_SCHEMES, true)) {
                 throw new UnimplementedException(
                     '§8.2',
                     \sprintf('auth scheme %s deferred to v0.2', $auth->scheme),
diff --git a/src/Auth/JwtAuth.php b/src/Auth/JwtAuth.php
@@ -8,6 +8,8 @@
 use Arcp\Messages\Session\PeerInfo;
 use Firebase\JWT\JWT;
 use Firebase\JWT\Key;
+use Psr\Log\LoggerInterface;
+use Psr\Log\NullLogger;
 
 /**
  * `signed_jwt` verification (RFC §8.2). The runtime supplies the trust
@@ -16,10 +18,14 @@
  */
 final readonly class JwtAuth implements AuthScheme
 {
+    private LoggerInterface $logger;
+
     public function __construct(
         private Key $key,
         private string $audience,
+        ?LoggerInterface $logger = null,
     ) {
+        $this->logger = $logger ?? new NullLogger();
     }
 
     #[\Override]
@@ -40,7 +46,12 @@ public function verify(Auth $auth, PeerInfo $client): AuthResult
         try {
             $decoded = JWT::decode($auth->token, $this->key);
         } catch (\Throwable $e) {
-            return AuthResult::reject('jwt verification failed: ' . $e->getMessage());
+            // Keep the wire reason opaque: the underlying decode error can
+            // leak key id, algorithm, or expiry details useful to an
+            // attacker probing trust material. Log it server-side instead.
+            $this->logger->info('jwt verification failed', ['error' => $e->getMessage()]);
+
+            return AuthResult::reject('jwt verification failed');
         }
         $claims = (array) $decoded;
         $aud = $claims['aud'] ?? null;
diff --git a/src/Auth/NoneAuth.php b/src/Auth/NoneAuth.php
@@ -29,6 +29,10 @@ public function verify(Auth $auth, PeerInfo $client): AuthResult
         if ($auth->scheme !== 'none') {
             return AuthResult::reject('scheme mismatch');
         }
-        return AuthResult::accept($client->principal ?? $this->defaultPrincipal);
+        // Always use the configured default principal; do not trust the
+        // principal supplied in the untrusted PeerInfo block (mirrors the
+        // BearerAuth contract). Trusting it would let any anonymous peer
+        // claim an arbitrary principal and bypass per-principal isolation.
+        return AuthResult::accept($this->defaultPrincipal);
     }
 }
diff --git a/tests/Unit/AuthTest.php b/tests/Unit/AuthTest.php
@@ -67,11 +67,12 @@ public function testNoneAccepts(): void
         self::assertSame('public', $result->principal);
     }
 
-    public function testNoneUsesProvidedPrincipal(): void
+    public function testNoneIgnoresPeerSuppliedPrincipal(): void
     {
         $scheme = new NoneAuth('public');
         $result = $scheme->verify(Auth::none(), new PeerInfo('c', '0', principal: 'someone@x'));
-        self::assertSame('someone@x', $result->principal);
+        // The peer-supplied principal must not be trusted (#67).
+        self::assertSame('public', $result->principal);
     }
 
     public function testNoneRejectsWrongScheme(): void

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,10 @@ public function verify(Auth $auth, PeerInfo $client): AuthResult`
`29`	`29`	`if ($auth->scheme !== 'none') {`
`30`	`30`	`return AuthResult::reject('scheme mismatch');`
`31`	`31`	`}`
`32`		`- return AuthResult::accept($client->principal ?? $this->defaultPrincipal);`
	`32`	`+ // Always use the configured default principal; do not trust the`
	`33`	`+ // principal supplied in the untrusted PeerInfo block (mirrors the`
	`34`	`+ // BearerAuth contract). Trusting it would let any anonymous peer`
	`35`	`+ // claim an arbitrary principal and bypass per-principal isolation.`
	`36`	`+ return AuthResult::accept($this->defaultPrincipal);`
`33`	`37`	`}`
`34`	`38`	`}`
Original file line number	Diff line number	Diff line change
`@@ -67,11 +67,12 @@ public function testNoneAccepts(): void`
`67`	`67`	`self::assertSame('public', $result->principal);`
`68`	`68`	`}`
`69`	`69`
`70`		`- public function testNoneUsesProvidedPrincipal(): void`
	`70`	`+ public function testNoneIgnoresPeerSuppliedPrincipal(): void`
`71`	`71`	`{`
`72`	`72`	`$scheme = new NoneAuth('public');`
`73`	`73`	`$result = $scheme->verify(Auth::none(), new PeerInfo('c', '0', principal: 'someone@x'));`
`74`		`- self::assertSame('someone@x', $result->principal);`
	`74`	`+ // The peer-supplied principal must not be trusted (#67).`
	`75`	`+ self::assertSame('public', $result->principal);`
`75`	`76`	`}`
`76`	`77`
`77`	`78`	`public function testNoneRejectsWrongScheme(): void`