fix(worker-auth): unify token checks and bind job environment

This commit is contained in:
Gabriel Brown
2026-07-10 17:06:33 -04:00
parent feb3723753
commit 020ffbfb23
6 changed files with 138 additions and 37 deletions
+2 -7
View File
@@ -9,6 +9,7 @@ import { internal } from './_generated/api';
import { action } from './_generated/server';
import { normalizeDotfilePath } from './model';
import { decryptSecret, encryptSecret } from './secretCrypto';
import { assertWorkerToken } from './workerAuth';
const MAX_FILE_BYTES = 512 * 1024; // 512 KB per dotfile
@@ -18,12 +19,6 @@ const getRequiredUserId = async (ctx: ActionCtx): Promise<Id<'users'>> => {
return userId;
};
const requireWorkerToken = (workerToken: string) => {
const expected = process.env.SPOON_WORKER_TOKEN;
if (!expected) throw new ConvexError('Worker token is not configured.');
if (workerToken !== expected) throw new ConvexError('Invalid worker token.');
};
const putOne = async (
ctx: ActionCtx,
ownerId: Id<'users'>,
@@ -114,7 +109,7 @@ type WorkerEnvironment = {
export const getEnvironmentForJob = action({
args: { workerToken: v.string(), jobId: v.id('agentJobs') },
handler: async (ctx, args): Promise<WorkerEnvironment | null> => {
requireWorkerToken(args.workerToken);
assertWorkerToken(args.workerToken);
const raw = await ctx.runQuery(
internal.userEnvironment.getRawEnvironmentForJobInternal,
{ jobId: args.jobId },