feat: add taxonomy service auth boundary#83
Merged
Conversation
WalkthroughThis pull request adds optional taxonomy service integration to Hub. The changes introduce a new 🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@cmd/api/app_test.go`:
- Line 300: The linter fails because there is no blank line before the recorder
declaration after creating the request; add a single blank line between the
request := httptest.NewRequestWithContext(...) statement and the recorder
declaration (e.g., recorder := httptest.NewRecorder()) so the wsl whitespace
rule is satisfied and the build passes.
In `@cmd/api/app.go`:
- Line 396: Add a blank line immediately before the conditional that checks
cfg.Taxonomy.HubInternalAPIToken (the if statement starting with "if
cfg.Taxonomy.HubInternalAPIToken != \"\"") to satisfy the wsl linter; locate
this conditional in app.go (around the handler/initialization section where cfg
is used) and insert a single empty line above it so the linter no longer flags
missing whitespace.
In `@internal/api/handlers/taxonomy_internal_handler.go`:
- Around line 17-23: Update the doc comment on the AuthCheck method of
TaxonomyInternalHandler to state that authentication is enforced by middleware
rather than by this handler; specifically, change the comment to indicate
AuthCheck simply returns a 200 OK JSON confirming successful
authentication/authorization (the actual token validation is performed by
middleware.Auth applied to the route), and ensure the comment references the
middleware.Auth enforcement and the AuthCheck handler name so readers understand
responsibility separation.
In `@internal/service/taxonomy_client.go`:
- Around line 15-18: Add a godoc comment immediately above the exported error
ErrTaxonomyServiceURLRequired describing what it means and when it is returned
(e.g., "ErrTaxonomyServiceURLRequired is returned when the TAXONOMY_SERVICE_URL
environment variable is not set."); place the comment above the var block (next
to ErrTaxonomyServiceTokenRequired if desired) so the documentation generator
picks it up and the intent of ErrTaxonomyServiceURLRequired is clear.
- Around line 58-88: Define a package-level sentinel error (e.g.,
ErrTaxonomyNon2xx) near the top of the file and replace the dynamic error
returned in TaxonomyClient.StartRun when resp.StatusCode is not 2xx with a
wrapped error that uses the sentinel (for example, fmt.Errorf("%w: taxonomy
service returned status %d", ErrTaxonomyNon2xx, resp.StatusCode)); this
preserves a stable sentinel for error checks while still including the status
code as diagnostic context.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: ce1291db-9450-424b-9cc3-a5b572fa89e7
📒 Files selected for processing (11)
.env.examplecharts/hub/templates/NOTES.txtcharts/hub/templates/secret.yamlcharts/hub/values.yamlcmd/api/app.gocmd/api/app_test.gointernal/api/handlers/taxonomy_internal_handler.gointernal/config/config.gointernal/config/config_test.gointernal/service/taxonomy_client.gointernal/service/taxonomy_client_test.go
xernobyl
requested changes
Jun 8, 2026
xernobyl
left a comment
xernobyl
left a comment
Contributor
There was a problem hiding this comment.
Nothing other than the coderabbit comments :)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fixes ENG-1155
Summary
TAXONOMY_SERVICE_URL,TAXONOMY_SERVICE_TOKEN, andHUB_INTERNAL_API_TOKEN./internal/v1/taxonomy/auth-checkbehind the internal Hub token when configured.X-Request-ID..env.exampledocumentation for the beta taxonomy service boundary.Why
ENG-1155 defines the beta auth boundary between Hub and the standalone taxonomy service. Hub remains the API/data authority, while the Python taxonomy service calls only Hub internal APIs using a separate internal token.
Validation
go test -count=1 ./cmd/api ./internal/config ./internal/api/handlers ./internal/servicehelm template hub ./charts/hub --set secrets.stringData.DATABASE_URL=postgres://user:pass@db:5432/hub --set secrets.stringData.API_KEY=hub-api-key --set config.data.TAXONOMY_SERVICE_URL=http://taxonomy.default.svc.cluster.local:8000 --set secrets.stringData.TAXONOMY_SERVICE_TOKEN=taxonomy-service-token --set secrets.stringData.HUB_INTERNAL_API_TOKEN=hub-internal-token