Skip to content

fix: sign cloudery token under 'settings' subject#28

Merged
rezk2ll merged 1 commit into
mainfrom
fix/cloudery-token-subject-settings
May 11, 2026
Merged

fix: sign cloudery token under 'settings' subject#28
rezk2ll merged 1 commit into
mainfrom
fix/cloudery-token-subject-settings

Conversation

@rezk2ll

@rezk2ll rezk2ll commented May 11, 2026

Copy link
Copy Markdown
Member

Summary

  • The Stack authorizes app-audience JWTs from the permission doc of the webapp named by subject, not from the JWT's scope. Drive's doc has GET only on io.cozy.nextcloud.migrations, so every tracking-doc PUT (setRunning, flushProgress, flushAndFail) returned 403 and migrations died at start without recording the failure.
  • Switch the subject to settings, whose manifest carries full CRUD on io.cozy.nextcloud.migrations alongside the io.cozy.files and io.cozy.settings rules the rest of the run needs.

Drive's installed permission doc grants only GET on
io.cozy.nextcloud.migrations. The Stack ignores a JWT's `scope`
claim for app-audience tokens and authorizes from the named
webapp's perm doc, so every PUT against the tracking doc came
back 403: setRunning failed mid-migration, and the recovery
flushAndFail write 403'd in turn, leaving the doc stuck in
pending. The Settings app owns the migration UI and has ALL
verbs on the doctype, so piggybacking there gives the service
the writes it actually needs.
@rezk2ll rezk2ll merged commit b2c0ef8 into main May 11, 2026
3 checks passed
@github-actions github-actions Bot deleted the fix/cloudery-token-subject-settings branch May 11, 2026 11:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant