Skip to content

fix: replace worker password with per-task JWT tokens #904

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
PythonFZ merged 17 commits into from
Apr 2, 2026
Merged

fix: replace worker password with per-task JWT tokens #904

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
f4132bf
docs: add design spec for worker auth JWT redesign
PythonFZ Apr 1, 2026
4eb17b6
docs: drop unnecessary register guard from worker auth spec
PythonFZ Apr 1, 2026
c446a69
docs: add implementation plan for worker auth JWT redesign
PythonFZ Apr 1, 2026
e0c83f2
refactor: replace worker_password with internal_worker_email in Settings
PythonFZ Apr 1, 2026
a581961
refactor: auto-gen worker password, add lookup_worker_user helper
PythonFZ Apr 1, 2026
c63edb2
refactor: executor accepts per-task JWT token instead of static crede…
PythonFZ Apr 1, 2026
6bb5b12
feat: mint per-task JWT for internal worker via WorkerTokenDep
PythonFZ Apr 1, 2026
5023162
refactor: simplify broker — executor only needs base_url
PythonFZ Apr 1, 2026
e92f58c
feat: block internal worker email from public login endpoint
PythonFZ Apr 1, 2026
d5aa125
chore: remove all worker_password references from Docker and docs
PythonFZ Apr 1, 2026
63aca35
test: add integration test for WorkerTokenDep JWT minting
PythonFZ Apr 1, 2026
a2b7304
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Apr 1, 2026
8411da7
fix: resolve SQLite deadlock in WorkerTokenDep and harden test wiring
PythonFZ Apr 1, 2026
319bb13
fix: wire WorkerTokenDep stub in joblib test conftest
PythonFZ Apr 1, 2026
f5d7e89
refactor: simplify WorkerTokenDep — real dependency, drop login guard
PythonFZ Apr 1, 2026
ba362e1
refactor: remove unused lookup_worker_user helper
PythonFZ Apr 1, 2026
f5df7e6
fix: ensure_internal_worker update path mirrors create flags
PythonFZ Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ RUN WHEEL=$(ls /tmp/*.whl) && uv pip install --system --no-cache-dir --prereleas
# Set environment
ENV PYTHONUNBUFFERED=1 \
PYTHONDONTWRITEBYTECODE=1 \
ZNDRAW_HOST=0.0.0.0
ZNDRAW_SERVER_HOST=0.0.0.0

USER appuser

Expand Down
1 change: 0 additions & 1 deletion docker/templates/.env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ ZNDRAW_SERVER_WORKER_ENABLED=false

# --- Secrets (MUST change in production) ---
ZNDRAW_SERVER_GUEST_PASSWORD=zndraw
ZNDRAW_SERVER_WORKER_PASSWORD=zndraw-worker
ZNDRAW_AUTH_SECRET_KEY=CHANGE-ME-IN-PRODUCTION-SECRET!
ZNDRAW_AUTH_RESET_PASSWORD_TOKEN_SECRET=CHANGE-ME-RESET
ZNDRAW_AUTH_VERIFICATION_TOKEN_SECRET=CHANGE-ME-VERIFY
Expand Down
1 change: 0 additions & 1 deletion docs/superpowers/plans/2026-03-25-pydantic-settings-phase1.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -329,7 +329,6 @@ Apply renames across all five files:
- `ZNDRAW_REDIS_URL` → `ZNDRAW_SERVER_REDIS_URL`
- `ZNDRAW_WORKER_ENABLED` → `ZNDRAW_SERVER_WORKER_ENABLED`
- `ZNDRAW_GUEST_PASSWORD` → `ZNDRAW_SERVER_GUEST_PASSWORD`
- `ZNDRAW_WORKER_PASSWORD` → `ZNDRAW_SERVER_WORKER_PASSWORD`

Leave unchanged: `ZNDRAW_AUTH_*`, `ZNDRAW_URL`, `ZNDRAW_USER`, `ZNDRAW_PASSWORD` (client/auth env vars).

Expand Down
Loading
Loading