Skip to content

Commit 0b9d901

Browse files
rphansen91Mastra Code (anthropic/claude-opus-4-5)
andcommitted
fix(auth): make dual auth opt-in for backward compatibility
Dual auth is now opt-in: - If studio.auth is NOT configured: Studio uses server.auth (existing behavior) - If studio.auth IS configured: Studio uses it exclusively (no fallback) This preserves backward compatibility while allowing users to opt into strict Studio/API auth isolation. Co-Authored-By: Mastra Code (anthropic/claude-opus-4-5) <noreply@mastra.ai>
1 parent 19e151b commit 0b9d901

1 file changed

Lines changed: 13 additions & 11 deletions

File tree

  • packages/server/src/server/handlers

packages/server/src/server/handlers/auth.ts

Lines changed: 13 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -72,21 +72,23 @@ function loadPermissionPatterns(): Promise<Record<string, unknown> | undefined>
7272

7373
/**
7474
* Helper to get auth provider from Mastra instance.
75-
* When isStudio is true, ONLY returns studio auth (no fallback to server auth).
76-
* This prevents external API consumers from spoofing the studio header.
75+
*
76+
* Dual auth is OPT-IN: if studio.auth is explicitly configured, Studio requests
77+
* use it exclusively. Otherwise, Studio requests fall back to server.auth for
78+
* backward compatibility.
7779
*/
7880
function getAuthProvider(mastra: any, isStudio?: boolean): MastraAuthProvider | null {
79-
// If this is a Studio request, ONLY use studio auth (no fallback)
80-
if (isStudio) {
81-
const studioConfig = mastra.getStudio?.();
82-
if (studioConfig?.auth && typeof studioConfig.auth.authenticateToken === 'function') {
83-
return studioConfig.auth as MastraAuthProvider;
84-
}
85-
// Studio request but no studio auth configured - return null (will result in 401)
86-
return null;
81+
// Check if studio.auth is explicitly configured
82+
const studioConfig = mastra.getStudio?.();
83+
const hasStudioAuth = studioConfig?.auth && typeof studioConfig.auth.authenticateToken === 'function';
84+
85+
// If this is a Studio request AND studio.auth is configured, use it exclusively
86+
if (isStudio && hasStudioAuth) {
87+
return studioConfig.auth as MastraAuthProvider;
8788
}
8889

89-
// Non-studio request: use server auth
90+
// Otherwise (non-studio request, OR studio request without studio.auth configured),
91+
// fall back to server.auth for backward compatibility
9092
const serverConfig = mastra.getServer?.();
9193
if (!serverConfig?.auth) return null;
9294

0 commit comments

Comments
 (0)