Skip to content

feat(BA-5584): migrate keypair auth plugin into core repository#10771

Open
fregataa wants to merge 5 commits intomainfrom
feat/BA-5584-migrate-keypair-auth-plugin
Open

feat(BA-5584): migrate keypair auth plugin into core repository#10771
fregataa wants to merge 5 commits intomainfrom
feat/BA-5584-migrate-keypair-auth-plugin

Conversation

@fregataa
Copy link
Copy Markdown
Member

@fregataa fregataa commented Apr 3, 2026
edited
Loading

Summary

  • Move backend.ai-auth-keypair-plugin source into src/ai/backend/manager/plugin/keypair/ and register hook/webapp entry points in BUILD
  • Update import paths from external plugin layout to core module paths (RootContext_root_app pattern, ai.backend.auth.keypairai.backend.manager.plugin.keypair)
  • Fix duplicate backendai_hook_v20 / backendai_webapp_v20 dict keys in BUILD that caused TOTP entries to be silently overwritten by OpenID entries

This PR migrates the plugin code as-is. Any design improvements to the existing code will be tracked and addressed in separate issues.

Test plan

  • Verify keypair login flow (POST /custom-auth/login) redirects with valid sToken
  • Verify HMAC signature authorization via AUTHORIZE hook

Resolves BA-5584

Copilot AI review requested due to automatic review settings April 3, 2026 08:12
@github-actions github-actions bot added size:L 100~500 LoC comp:manager Related to Manager component labels Apr 3, 2026
fregataa added a commit that referenced this pull request Apr 3, 2026
@fregataa @claude
changelog: add news fragment for PR #10771
32ae8b2 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR migrates the keypair auth plugin into the manager core codebase and registers it via the manager’s plugin entrypoints, while also fixing a BUILD configuration issue that previously overwrote some plugin registrations.

Changes:

  • Add keypair auth webapp + hook plugin implementations under src/ai/backend/manager/plugin/keypair/.
  • Register the new keypair plugin entrypoints and fix duplicate dict keys in src/ai/backend/manager/BUILD so TOTP/OpenID entries don’t get overwritten.
  • Add a Towncrier feature fragment documenting the migration.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 11 comments.

Show a summary per file
File Description
src/ai/backend/manager/plugin/keypair/webapp.py Adds /custom-auth/login webapp endpoint that issues an sToken and redirects.
src/ai/backend/manager/plugin/keypair/utils.py Implements JWT-based sToken serialize/deserialize helpers and config lookup.
src/ai/backend/manager/plugin/keypair/hook.py Adds AUTHORIZE hook plugin intended to authenticate via sToken/HMAC-like token parsing.
src/ai/backend/manager/plugin/keypair/exception.py Defines plugin-specific exceptions for invalid/expired sTokens.
src/ai/backend/manager/plugin/keypair/init.py Defines plugin version.
src/ai/backend/manager/BUILD Registers keypair plugin entrypoints and fixes duplicate hook/webapp dict keys.
changes/10764.feature.md Documents the migration as a feature.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

fregataa and others added 3 commits April 3, 2026 18:20
@fregataa @claude
feat(BA-5584): migrate keypair auth plugin into core repository
d549d4b 
Move backend.ai-auth-keypair-plugin source into
src/ai/backend/manager/plugin/keypair/ and register entry points.
Also fix duplicate dict keys in BUILD for openid/totp entry points.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@fregataa @claude
changelog: add news fragment for PR #10771
cd8b163 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@fregataa @claude
chore(BA-5584): remove standalone version from migrated auth plugins
3a11a52 
These plugins are now part of the core package and no longer need
individual version identifiers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@fregataa fregataa force-pushed the feat/BA-5584-migrate-keypair-auth-plugin branch from 32ae8b2 to 3a11a52 Compare April 3, 2026 09:22
fregataa and others added 2 commits April 3, 2026 18:39
@fregataa @claude
fix(BA-5584): remove __version__ reference from openid webapp
5c6d7ce 
The openid plugin's webapp.py still imported __version__ which was
removed in the previous commit. This caused CI typecheck and component
test failures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@fregataa @claude
fix(BA-5584): sync keypair hook with updated plugin source
efd9a2c 
- Read sign_params from request body instead of hook params
- Use attribute access on Row objects instead of dict access
- Select full user row for downstream compatibility

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@fregataa fregataa requested a review from a team April 3, 2026 15:55
@fregataa fregataa added this to the 26.4 milestone Apr 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@fregataa fregataa

Labels

comp:manager Related to Manager component size:L 100~500 LoC

Projects

None yet

Milestone

26.4

Development

Successfully merging this pull request may close these issues.

2 participants

@fregataa