Revert "feat(shim): forward verified JWT subject to upstream"

This reverts commit b469dab.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: tanyav2

tinfoil/cmd/shim/api.go

@@ -88,13 +88,6 @@ const (
 	errTypeServer            = "server_error"
 )
 
-// subjectHeader carries the authenticated principal (JWT `sub`) from the shim to
-// the upstream workload after a JWT access token is verified in-enclave. The
-// upstream trusts it because the shim is the only path to it and unconditionally
-// strips any client-supplied value before setting its own. Must match the header
-// the upstream (confidential-model-router) reads.
-const subjectHeader = "X-Tinfoil-Subject"
-
 // Client-facing error messages, aligned with OpenAI's standard error messages
 // where applicable. See https://platform.openai.com/docs/guides/error-codes
 const (
@@ -221,20 +214,7 @@ func NewShimServer(
 	}
 
 	proxyHandler := ehbpMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// Never trust a client-supplied identity header: the shim is the sole
-		// authority for subjectHeader and (re)sets it only after verifying a
-		// JWT below. Strip it unconditionally, including on unauthenticated
-		// paths, so a forged value can never reach the upstream.
-		r.Header.Del(subjectHeader)
-
 		apiKey := extractBearerToken(r.Header.Get("Authorization"))
-
-		// rateLimitID identifies the caller for the shim's local rate limiter.
-		// It defaults to the bearer credential and is replaced with the verified
-		// JWT subject when available, so a user's bucket is stable across the
-		// short-lived token's refreshes (and across multiple tokens).
-		rateLimitID := apiKey
-
 		if validator != nil && requiresAuth(config.AuthenticatedEndpoints, r.URL.Path) {
 			if len(apiKey) == 0 {
 				writeJSONError(w, errMsgAPIKeyRequired, errTypeInvalidRequest, http.StatusUnauthorized)
@@ -248,28 +228,19 @@ func NewShimServer(
 				Path:          r.URL.Path,
 			}
 
-			res, err := validator.Validate(validationReq)
-			if err != nil {
+			if err := validator.Validate(validationReq); err != nil {
 				log.Printf("Warning: failed to validate API key: %v", err)
 				writeValidationFailure(w, err)
 				return
 			}
-
-			// Forward the verified principal to the upstream so it can attribute
-			// usage and rate limits to a stable identity rather than the
-			// rotating bearer token. Empty for opaque keys (online validator).
-			if res.Subject != "" {
-				r.Header.Set(subjectHeader, res.Subject)
-				rateLimitID = res.Subject
-			}
 		}
 
 		if rateLimiter != nil {
 			if apiKey == "" {
 				writeJSONError(w, errMsgAPIKeyRequired, errTypeInvalidRequest, http.StatusUnauthorized)
 				return
 			}
-			limiter := rateLimiter.Limit(rateLimitID)
+			limiter := rateLimiter.Limit(apiKey)
 			if !limiter.Allow() {
 				writeJSONError(w, errMsgRateLimited, errTypeInvalidRequest, http.StatusTooManyRequests)
 				return

tinfoil/internal/key/jwt/jwt.go

@@ -171,57 +171,55 @@ func NewValidator(jwksURL, issuer, audience, requiredScope string) *Validator {
 	}
 }
 
-func (v *Validator) Validate(req key.Request) (key.Result, error) {
+func (v *Validator) Validate(req key.Request) error {
 	if !isAccessTokenJWT(req.APIKey) {
-		return key.Result{}, key.ErrUnsupportedToken
+		return key.ErrUnsupportedToken
 	}
 
 	token, err := josejwt.ParseSigned(req.APIKey, []jose.SignatureAlgorithm{jose.EdDSA})
 	if err != nil || len(token.Headers) == 0 {
-		return key.Result{}, &key.ValidationError{StatusCode: http.StatusUnauthorized}
+		return &key.ValidationError{StatusCode: http.StatusUnauthorized}
 	}
 
 	// RFC 9068 registers the access-token type as "at+jwt"; RFC 7515 also
 	// permits the equivalent media type carrying an "application/" prefix, so
 	// accept both forms case-insensitively.
 	typ, _ := token.Headers[0].ExtraHeaders[jose.HeaderType].(string)
 	if normalizeType(typ) != accessTokenType {
-		return key.Result{}, &key.ValidationError{StatusCode: http.StatusUnauthorized}
+		return &key.ValidationError{StatusCode: http.StatusUnauthorized}
 	}
 
 	signingKey, ok := v.keys.lookup(token.Headers[0].KeyID)
 	if !ok {
 		v.keys.refreshIfAllowed()
 		signingKey, ok = v.keys.lookup(token.Headers[0].KeyID)
 		if !ok {
-			return key.Result{}, &key.ValidationError{StatusCode: http.StatusUnauthorized}
+			return &key.ValidationError{StatusCode: http.StatusUnauthorized}
 		}
 	}
 
 	var claims josejwt.Claims
 	var ext accessTokenClaims
 	if err := token.Claims(signingKey, &claims, &ext); err != nil {
-		return key.Result{}, &key.ValidationError{StatusCode: http.StatusUnauthorized}
+		return &key.ValidationError{StatusCode: http.StatusUnauthorized}
 	}
 	if claims.Subject == "" || claims.Expiry == nil || claims.IssuedAt == nil || claims.ID == "" || ext.ClientID == "" {
-		return key.Result{}, &key.ValidationError{StatusCode: http.StatusUnauthorized}
+		return &key.ValidationError{StatusCode: http.StatusUnauthorized}
 	}
 
 	if err := claims.Validate(josejwt.Expected{
 		Issuer:      v.issuer,
 		AnyAudience: josejwt.Audience{v.audience},
 		Time:        time.Now(),
 	}); err != nil {
-		return key.Result{}, &key.ValidationError{StatusCode: http.StatusUnauthorized}
+		return &key.ValidationError{StatusCode: http.StatusUnauthorized}
 	}
 
 	if !scopeContains(ext.Scope, v.scope) {
-		return key.Result{}, &key.ValidationError{StatusCode: http.StatusForbidden}
+		return &key.ValidationError{StatusCode: http.StatusForbidden}
 	}
 
-	// The verified subject lets the shim forward a stable identity to the
-	// upstream so usage/rate limits attach to the user, not the rotating token.
-	return key.Result{Subject: claims.Subject}, nil
+	return nil
 }
 
 // isAccessTokenJWT reports whether s is explicitly typed as an access-token

tinfoil/internal/key/jwt/jwt_test.go

@@ -91,28 +91,16 @@ func chatRequest(token string) key.Request {
 	return key.Request{APIKey: token, Path: "/v1/chat/completions"}
 }
 
-// validateErr runs the validator and returns only the error, for the many
-// rejection cases that do not care about the Result. The accepted-token tests
-// call Validate directly to assert the surfaced subject.
-func validateErr(val *Validator, req key.Request) error {
-	_, err := val.Validate(req)
-	return err
-}
-
 func TestValidateAcceptsValidToken(t *testing.T) {
 	pub, priv, _ := ed25519.GenerateKey(nil)
 	srv := jwksServer(t, pub, testKID)
 	defer srv.Close()
 	v := newTestValidator(t, srv.URL)
 
 	token := mintToken(t, priv, testKID, "at+jwt", validClaims(time.Now()), RequiredScope)
-	res, err := v.Validate(chatRequest(token))
-	if err != nil {
+	if err := v.Validate(chatRequest(token)); err != nil {
 		t.Fatalf("expected valid token, got %v", err)
 	}
-	if res.Subject != "user_1" {
-		t.Fatalf("Subject = %q, want user_1", res.Subject)
-	}
 }
 
 func TestValidateFallsThroughForOpaqueKey(t *testing.T) {
@@ -121,7 +109,7 @@ func TestValidateFallsThroughForOpaqueKey(t *testing.T) {
 	defer srv.Close()
 	v := newTestValidator(t, srv.URL)
 
-	err := validateErr(v, key.Request{APIKey: "chat_abcdef"})
+	err := v.Validate(key.Request{APIKey: "chat_abcdef"})
 	if !errors.Is(err, key.ErrUnsupportedToken) {
 		t.Fatalf("expected ErrUnsupportedToken, got %v", err)
 	}
@@ -133,7 +121,7 @@ func TestValidateFallsThroughForDottedOpaqueKey(t *testing.T) {
 	defer srv.Close()
 	v := newTestValidator(t, srv.URL)
 
-	err := validateErr(v, key.Request{APIKey: "opaque.with.dots"})
+	err := v.Validate(key.Request{APIKey: "opaque.with.dots"})
 	if !errors.Is(err, key.ErrUnsupportedToken) {
 		t.Fatalf("expected ErrUnsupportedToken, got %v", err)
 	}
@@ -148,7 +136,7 @@ func TestValidateRejectsWrongAudience(t *testing.T) {
 	claims := validClaims(time.Now())
 	claims.Audience = josejwt.Audience{"https://example.com"}
 	token := mintToken(t, priv, testKID, "at+jwt", claims, RequiredScope)
-	expectStatus(t, validateErr(v, chatRequest(token)), http.StatusUnauthorized)
+	expectStatus(t, v.Validate(chatRequest(token)), http.StatusUnauthorized)
 }
 
 func TestValidateRejectsExpired(t *testing.T) {
@@ -158,7 +146,7 @@ func TestValidateRejectsExpired(t *testing.T) {
 	v := newTestValidator(t, srv.URL)
 
 	token := mintToken(t, priv, testKID, "at+jwt", validClaims(time.Now().Add(-time.Hour)), RequiredScope)
-	expectStatus(t, validateErr(v, chatRequest(token)), http.StatusUnauthorized)
+	expectStatus(t, v.Validate(chatRequest(token)), http.StatusUnauthorized)
 }
 
 func TestValidateRejectsMissingExpiration(t *testing.T) {
@@ -170,7 +158,7 @@ func TestValidateRejectsMissingExpiration(t *testing.T) {
 	claims := validClaims(time.Now())
 	claims.Expiry = nil
 	token := mintToken(t, priv, testKID, "at+jwt", claims, RequiredScope)
-	expectStatus(t, validateErr(v, chatRequest(token)), http.StatusUnauthorized)
+	expectStatus(t, v.Validate(chatRequest(token)), http.StatusUnauthorized)
 }
 
 func TestValidateRejectsMissingScope(t *testing.T) {
@@ -180,7 +168,7 @@ func TestValidateRejectsMissingScope(t *testing.T) {
 	v := newTestValidator(t, srv.URL)
 
 	token := mintToken(t, priv, testKID, "at+jwt", validClaims(time.Now()), "models:read")
-	expectStatus(t, validateErr(v, chatRequest(token)), http.StatusForbidden)
+	expectStatus(t, v.Validate(chatRequest(token)), http.StatusForbidden)
 }
 
 func TestValidateRejectsWrongIssuer(t *testing.T) {
@@ -192,7 +180,7 @@ func TestValidateRejectsWrongIssuer(t *testing.T) {
 	claims := validClaims(time.Now())
 	claims.Issuer = "https://evil.example.com"
 	token := mintToken(t, priv, testKID, "at+jwt", claims, RequiredScope)
-	expectStatus(t, validateErr(v, chatRequest(token)), http.StatusUnauthorized)
+	expectStatus(t, v.Validate(chatRequest(token)), http.StatusUnauthorized)
 }
 
 func TestValidateFallsThroughForWrongType(t *testing.T) {
@@ -202,7 +190,7 @@ func TestValidateFallsThroughForWrongType(t *testing.T) {
 	v := newTestValidator(t, srv.URL)
 
 	token := mintToken(t, priv, testKID, "JWT", validClaims(time.Now()), RequiredScope)
-	err := validateErr(v, chatRequest(token))
+	err := v.Validate(chatRequest(token))
 	if !errors.Is(err, key.ErrUnsupportedToken) {
 		t.Fatalf("expected ErrUnsupportedToken, got %v", err)
 	}
@@ -218,7 +206,7 @@ func TestValidateRejectsForeignSignature(t *testing.T) {
 	// verification against the published key must fail.
 	_, foreignPriv, _ := ed25519.GenerateKey(nil)
 	token := mintToken(t, foreignPriv, testKID, "at+jwt", validClaims(time.Now()), RequiredScope)
-	expectStatus(t, validateErr(v, chatRequest(token)), http.StatusUnauthorized)
+	expectStatus(t, v.Validate(chatRequest(token)), http.StatusUnauthorized)
 }
 
 func TestValidateAcceptsApplicationPrefixType(t *testing.T) {
@@ -229,7 +217,7 @@ func TestValidateAcceptsApplicationPrefixType(t *testing.T) {
 
 	// RFC 9068 / RFC 7515 permit the media type with an "application/" prefix.
 	token := mintToken(t, priv, testKID, "application/at+jwt", validClaims(time.Now()), RequiredScope)
-	if err := validateErr(v, chatRequest(token)); err != nil {
+	if err := v.Validate(chatRequest(token)); err != nil {
 		t.Fatalf("expected application/at+jwt to be accepted, got %v", err)
 	}
 }
@@ -243,7 +231,7 @@ func TestValidateAcceptsNonChatPath(t *testing.T) {
 	// The inference:api scope authorizes every inference endpoint, not just
 	// chat completions, so a non-chat path must validate.
 	token := mintToken(t, priv, testKID, "at+jwt", validClaims(time.Now()), RequiredScope)
-	if err := validateErr(v, key.Request{APIKey: token, Path: "/v1/embeddings"}); err != nil {
+	if err := v.Validate(key.Request{APIKey: token, Path: "/v1/embeddings"}); err != nil {
 		t.Fatalf("expected non-chat path to be accepted, got %v", err)
 	}
 }
@@ -322,7 +310,7 @@ func TestValidateRefreshesUnknownKidAfterRecentSuccess(t *testing.T) {
 	useSecond.Store(true)
 
 	token := mintToken(t, secondPriv, "test-key-2", "at+jwt", validClaims(time.Now()), RequiredScope)
-	if err := validateErr(v, chatRequest(token)); err != nil {
+	if err := v.Validate(chatRequest(token)); err != nil {
 		t.Fatalf("expected unknown kid to refresh immediately, got %v", err)
 	}
 }
@@ -356,7 +344,7 @@ func TestNewValidatorRecoversWhenJWKSStartsUnavailable(t *testing.T) {
 	v := newTestValidator(t, srv.URL)
 
 	token := mintToken(t, priv, testKID, "at+jwt", validClaims(time.Now()), RequiredScope)
-	if err := validateErr(v, chatRequest(token)); err == nil {
+	if err := v.Validate(chatRequest(token)); err == nil {
 		t.Fatal("expected rejection while no signing keys are cached")
 	}
 
@@ -367,7 +355,7 @@ func TestNewValidatorRecoversWhenJWKSStartsUnavailable(t *testing.T) {
 	v.keys.lastAttempt = time.Now().Add(-2 * minRefreshInterval)
 	v.keys.mu.Unlock()
 
-	if err := validateErr(v, chatRequest(token)); err != nil {
+	if err := v.Validate(chatRequest(token)); err != nil {
 		t.Fatalf("expected token to validate after JWKS became available, got %v", err)
 	}
 }

tinfoil/internal/key/key.go

@@ -14,19 +14,8 @@ type Request struct {
 	Path          string `json:"path,omitempty"`
 }
 
-// Result is the non-secret outcome of a successful validation. It lets the shim
-// forward the authenticated principal to the upstream workload so the workload
-// can attribute usage and rate limits to a stable identity instead of the
-// (rotating) bearer credential.
-type Result struct {
-	// Subject is the authenticated principal — the JWT `sub` — when the
-	// credential is a locally-verified JWT access token. It is empty for opaque
-	// API keys, whose subject is known only to the control plane.
-	Subject string
-}
-
 type Validator interface {
-	Validate(req Request) (Result, error)
+	Validate(req Request) error
 }
 
 // ErrUnsupportedToken signals that a Validator cannot handle the presented
@@ -55,14 +44,13 @@ func NewChain(validators ...Validator) *Chain {
 	return &Chain{validators: validators}
 }
 
-func (c *Chain) Validate(req Request) (Result, error) {
-	var res Result
+func (c *Chain) Validate(req Request) error {
 	var err error
 	for _, v := range c.validators {
-		res, err = v.Validate(req)
+		err = v.Validate(req)
 		if !errors.Is(err, ErrUnsupportedToken) {
-			return res, err
+			return err
 		}
 	}
-	return res, err
+	return err
 }

tinfoil/internal/key/key_test.go

@@ -7,16 +7,15 @@ import (
 )
 
 type stubValidator struct {
-	result Result
 	err    error
 	called *int
 }
 
-func (s stubValidator) Validate(Request) (Result, error) {
+func (s stubValidator) Validate(Request) error {
 	if s.called != nil {
 		*s.called++
 	}
-	return s.result, s.err
+	return s.err
 }
 
 func TestChainFallsThroughOnUnsupported(t *testing.T) {
@@ -25,7 +24,7 @@ func TestChainFallsThroughOnUnsupported(t *testing.T) {
 		stubValidator{err: ErrUnsupportedToken, called: &firstCalls},
 		stubValidator{err: nil, called: &secondCalls},
 	)
-	if _, err := chain.Validate(Request{APIKey: "x"}); err != nil {
+	if err := chain.Validate(Request{APIKey: "x"}); err != nil {
 		t.Fatalf("expected success, got %v", err)
 	}
 	if firstCalls != 1 || secondCalls != 1 {
@@ -39,7 +38,7 @@ func TestChainReturnsValidationErrorImmediately(t *testing.T) {
 		stubValidator{err: &ValidationError{StatusCode: http.StatusUnauthorized}},
 		stubValidator{err: nil, called: &secondCalls},
 	)
-	_, err := chain.Validate(Request{APIKey: "x"})
+	err := chain.Validate(Request{APIKey: "x"})
 	var ve *ValidationError
 	if !errors.As(err, &ve) || ve.StatusCode != http.StatusUnauthorized {
 		t.Fatalf("expected 401 ValidationError, got %v", err)
@@ -55,27 +54,10 @@ func TestChainShortCircuitsOnSuccess(t *testing.T) {
 		stubValidator{err: nil},
 		stubValidator{err: ErrUnsupportedToken, called: &secondCalls},
 	)
-	if _, err := chain.Validate(Request{APIKey: "x"}); err != nil {
+	if err := chain.Validate(Request{APIKey: "x"}); err != nil {
 		t.Fatalf("expected success, got %v", err)
 	}
 	if secondCalls != 0 {
 		t.Fatalf("second validator should not be consulted, calls=%d", secondCalls)
 	}
 }
-
-// TestChainPropagatesSubject verifies the Result from the validator that
-// handled the request (here the second, after the first falls through) is
-// returned to the caller, so the shim can forward the verified subject.
-func TestChainPropagatesSubject(t *testing.T) {
-	chain := NewChain(
-		stubValidator{err: ErrUnsupportedToken},
-		stubValidator{result: Result{Subject: "user_42"}, err: nil},
-	)
-	res, err := chain.Validate(Request{APIKey: "x"})
-	if err != nil {
-		t.Fatalf("expected success, got %v", err)
-	}
-	if res.Subject != "user_42" {
-		t.Fatalf("Subject = %q, want user_42", res.Subject)
-	}
-}