sec(server): no gRPC auth middleware when allow_unauthenticated is enabled #577
Description
Summary
The gRPC service implementation (OpenShellService in crates/openshell-server/src/grpc.rs) has no auth interceptor or middleware. All RPCs — create_sandbox, delete_sandbox, exec_sandbox, create_ssh_session, etc. — are accessible to any client that completes the TLS handshake.
When allow_unauthenticated=true (set via --disable-gateway-auth), mTLS client certs become optional, meaning all gRPC RPCs are completely unauthenticated.
The test at crates/openshell-server/tests/edge_tunnel_auth.rs (line 21–26) explicitly documents this gap: "TLS handshake succeeds, but in production the auth middleware (not yet implemented) would reject."
Impact
- Severity: High
- Any client that can reach the server port can create sandboxes, execute commands, delete resources, and access provider credentials.
- This mode is intended for Cloudflare Tunnel deployments where edge authentication is handled externally, but the application itself currently has no fallback.
Proposed Fix
Add a tonic interceptor that validates either:
- The TLS client certificate peer identity (when mTLS is enabled), or
- The
cf-access-jwt-assertionheader (whenallow_unauthenticated=true)
on every inbound RPC. Reject requests that fail both checks.
At minimum, emit a startup warning when --disable-gateway-auth is used.