fix(worker-auth): unify token checks and bind job environment
This commit is contained in:
@@ -6,6 +6,7 @@ import type { Doc } from './_generated/dataModel';
|
||||
import { internal } from './_generated/api';
|
||||
import { action } from './_generated/server';
|
||||
import { decryptSecret } from './secretCrypto';
|
||||
import { assertWorkerToken } from './workerAuth';
|
||||
|
||||
type ClaimedJob = {
|
||||
job: Doc<'agentJobs'>;
|
||||
@@ -41,19 +42,13 @@ type WorkerClaim = {
|
||||
secrets: { name: string; value: string }[];
|
||||
};
|
||||
|
||||
const requireWorkerToken = (workerToken: string) => {
|
||||
const expected = process.env.SPOON_WORKER_TOKEN?.trim();
|
||||
if (!expected) throw new ConvexError('SPOON_WORKER_TOKEN is not configured.');
|
||||
if (workerToken !== expected) throw new ConvexError('Invalid worker token.');
|
||||
};
|
||||
|
||||
export const claimNextForWorker = action({
|
||||
args: {
|
||||
workerId: v.string(),
|
||||
workerToken: v.string(),
|
||||
},
|
||||
handler: async (ctx, args): Promise<WorkerClaim | null> => {
|
||||
requireWorkerToken(args.workerToken);
|
||||
assertWorkerToken(args.workerToken);
|
||||
const claimed = (await ctx.runMutation(
|
||||
internal.agentJobs.claimNextInternal,
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user