From 1348db8f33fafd0672a5e5628aaae6fcfd021467 Mon Sep 17 00:00:00 2001 From: ZGaetano Date: Thu, 4 Jun 2026 05:21:33 +0000 Subject: [PATCH] =?UTF-8?q?fix(node-agent):=20import=20crypto=20=E2=80=94?= =?UTF-8?q?=20auth=20was=20ALWAYS=20failing=20on=20remote=20nodes?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit THE root cause of 'container view only shows the primary': checkAgentAuth used crypto.timingSafeEqual but 'crypto' was never imported (ES module). The call threw ReferenceError, the try/catch swallowed it, _bearerEq returned false, so EVERY bearer-token check on a node-agent failed. The primary's own containers showed only because the local node-agent has no NODE_TOKEN (auth skipped). Adding 'import crypto from crypto' makes token comparison work, so the primary mam-api can now read containers + logs from every node. --- services/node-agent/index.js | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/services/node-agent/index.js b/services/node-agent/index.js index ee8f0ba..98ca491 100644 --- a/services/node-agent/index.js +++ b/services/node-agent/index.js @@ -1,6 +1,7 @@ import http from 'http'; import os from 'os'; import fs from 'fs'; +import crypto from 'crypto'; import { spawn } from 'child_process'; const MAM_API_URL = (process.env.MAM_API_URL || 'http://localhost:3000').replace(/\/$/, ''); @@ -961,12 +962,7 @@ function checkAgentAuth(req) { const m = /^Bearer\s+(.+)$/i.exec(hdr); if (!m) return false; const token = m[1]; - const okNode = _bearerEq(token, NODE_TOKEN); - const okShared = _bearerEq(token, CLUSTER_READ_TOKEN); - if (!okNode && !okShared) { - console.warn(`[auth] reject: tok=${token.slice(0,6)}..${token.slice(-6)} CRT=${CLUSTER_READ_TOKEN.slice(0,6)}..${CLUSTER_READ_TOKEN.slice(-6)} match=${token===CLUSTER_READ_TOKEN}`); - } - return okNode || okShared; + return _bearerEq(token, NODE_TOKEN) || _bearerEq(token, CLUSTER_READ_TOKEN); } // ── Driver/SDK install ────────────────────────────────────────────────────