Per-project actor IDs via HMAC-SHA256#77
Merged
shikokuchuo merged 4 commits intomainfrom Mar 22, 2026
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #75.
fyi @cscheid this is the follow up to #71 as we discussed on Friday.
Previously, every user had a single actor ID across all projects (SHA-256 of their OIDC
subclaim). This meant anyone who could observe Automerge sync traffic across several projects could trivially correlate activity to the same user.This PR makes actor IDs project-scoped.
How it works
Actor IDs are derived by signing the combination of the user's identity and the project ID with a server-held secret. This means the same user gets a different actor ID in each project, so activity cannot be correlated across projects. Within a single project, the ID is stable across sessions and devices.
Server changes
A new
/auth/actor?project=<id>endpoint returns the actor ID for the authenticated user scoped to a specific project. The HMAC key is a 32-byte secret stored inhub.json, auto-generated on first startup. It can be overridden via theQUARTO_HUB_SERVER_SECRETenvironment variable for container deployments. Thehub.jsonfile is written with restricted permissions (0o600) so other system users cannot read it./auth/meno longer returns an actor ID, since the ID depends on which project is being accessed.Client changes
The actor ID is no longer fetched at login. Instead, it is fetched from the server just before connecting to a project, since the ID depends on which project is being opened. If the session has expired at that point, the user is sent to the login screen immediately.