You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a tracking issue for defects in the JWK key-ring loader at lore-server/src/auth/jwk.rs. All four items share the same source file and
interact in ways that make merge sequencing important.
Defect detail — cache short-circuit (highest priority, no open PR)
lore-server/src/auth/jwk.rs:89:
if desired.map(|d| cache.get(d)).is_some(){returnOk(());}
Option::map on a Some(x) always returns Some(…), so .is_some() is
invariantly true whenever desired is Some(_). The intended check was
whether the cache entry for the desired key exists. The actual effect is
that every look-up short-circuits the cache refresh, making key rotation
impossible after startup: any key added to or rotated in the upstream JWKS
will never be picked up until the server restarts.
One-line fix:
if desired.and_then(|d| cache.get(d)).is_some(){
This is a security-significant bug and should be filed and merged before any
other auth changes to bound the risk of adjacent-path regressions.
Merge sequencing recommendation
File and merge the jwk.rs:89 one-line cache fix as a standalone PR.
JWK key-ring loader hardening
This is a tracking issue for defects in the JWK key-ring loader at
lore-server/src/auth/jwk.rs. All four items share the same source file andinteract in ways that make merge sequencing important.
Child issues and related items
jwk.rs:89lore-serverauth helpers + handlersInternal Erroron missingalg/kidjwk.rs:141,146file://scheme rejectedjwk.rs(fetch_new_keys)Defect detail — cache short-circuit (highest priority, no open PR)
lore-server/src/auth/jwk.rs:89:Option::mapon aSome(x)always returnsSome(…), so.is_some()isinvariantly
truewheneverdesiredisSome(_). The intended check waswhether the cache entry for the desired key exists. The actual effect is
that every look-up short-circuits the cache refresh, making key rotation
impossible after startup: any key added to or rotated in the upstream JWKS
will never be picked up until the server restarts.
One-line fix:
This is a security-significant bug and should be filed and merged before any
other auth changes to bound the risk of adjacent-path regressions.
Merge sequencing recommendation
jwk.rs:89one-line cache fix as a standalone PR.file://scheme) — low-risk, independent.Background
Identified in the open-bug theme analysis (triage/2026-06-bug-theme-analysis.md,
branch
valentina2509:docs/bug-theme-analysis).Note: issue #60 is also listed under the error-handling hygiene tracking issue
because its symptom (opaque
Internal Error) fits that cluster as well.