Open #94 Bug

filed by gabriel human · 4 days ago

Branch DELETE endpoint returns HTTP 401 despite valid push + signed-POST auth

0 Anchors

— Blast radius

— Churn 30d

0 Proposals

Branch DELETE endpoint returns HTTP 401 despite valid push + signed-POST auth

Summary

muse push <remote> --delete <branch> and a direct signed DELETE /{owner}/{slug}/branches/{branch} against staging return HTTP 401 — Authentication failed (Run 'muse auth register'), even though the same Ed25519 identity (gabriel) in the same session successfully:

pushes branches to staging (muse push staging dev/main → advanced to 4669620e), and
issues signed POST requests to staging (muse sign request --method POST … /gabriel/muse/repair-commit → ok:true).

So push-auth and POST-auth work; only the branch-DELETE path rejects the credential.

Context

Found while tidying merged feature branches after the repair-commit + snapshot-recovery work landed. The merged branch feat/fetch-mpack-cache (tip f58d788d, verified an ancestor of dev — i.e. fully merged, no unique commits) remains on the staging hub because it cannot be deleted via the CLI.

Repro

# Succeed (same identity, staging):
muse push staging dev
muse sign request --method POST \
  --url https://staging.musehub.ai/gabriel/muse/repair-commit --body-file payload.json   # ok:true

# Fail with 401:
muse push staging --delete feat/fetch-mpack-cache
muse sign request --method DELETE \
  --url "https://staging.musehub.ai/gabriel/musehub/branches/feat%2Ffetch-mpack-cache"
# ❌ Authentication failed (HTTP 401). Run 'muse auth register'.

Expected

The DELETE /{owner}/{slug}/branches/{branch} endpoint should accept the same MSign auth that push and the wire POST endpoints accept, for the repo owner.

Impact

Low. Merged remote branches can't be tidied via the CLI; the stray branch is harmless (fully merged). Does not block builds or clones. Can be removed via the web UI in the meantime.

Hypotheses to investigate

DELETE-method auth middleware differs from the POST/push path (e.g. signature canonicalization treats method/body/path differently for DELETE).
The branches/{branch} route's auth dependency vs the wire push/repair routes.
URL-encoding of the branch name (feat%2Ffetch-mpack-cache) interfering with signature path canonicalization on the server.

Status

Deferred — filed during the rc13 ship-out to avoid a rabbit hole. The stray merged branch feat/fetch-mpack-cache on staging can be removed via the web UI until this is fixed.

◎ Activity

●

gabriel opened this issue 4 days ago

◎

No activity yet. Use the CLI to comment.

Assignee

gabriel human

Release

no commits linked to this issue

create

muse hub issue create \
  --title "..." \
  --body "..." \
  --label bug \
  --anchor path/to/file.py::Symbol \
  --commit-anchor <sha> \
  --repo gabriel/musehub

read

muse hub issue get 94 --json
muse hub issue list --state open --json

update

muse hub issue edit 94 \
  --anchor path/to/file.py::Symbol \
  --repo gabriel/musehub

comment

muse hub issue comment 94 \
  --body "Fixed in <sha>" \
  --repo gabriel/musehub

muse hub issue close 94 \
  --repo gabriel/musehub

create

create_issue({
  repo_id: "sha256:a265796360c3b1b8700b5682ced5f6b044a2c0d3a2c58918892a5aa494db6c75",
  title: "...",
  body: "...",
  labels: ["bug"],
  symbol_anchors: [
    "path/to/file.py::Symbol"
  ],
  commit_anchors: ["<sha>"]
})

read

get_issue({
  repo_id: "sha256:a265796360c3b1b8700b5682ced5f6b044a2c0d3a2c58918892a5aa494db6c75",
  issue_number: 94
})

list_issues({
  repo_id: "sha256:a265796360c3b1b8700b5682ced5f6b044a2c0d3a2c58918892a5aa494db6c75",
  state: "open"
})

update

edit_issue({
  repo_id: "sha256:a265796360c3b1b8700b5682ced5f6b044a2c0d3a2c58918892a5aa494db6c75",
  issue_number: 94,
  symbol_anchors: ["path/to/file.py::Symbol"]
})

comment

create_issue_comment({
  repo_id: "sha256:a265796360c3b1b8700b5682ced5f6b044a2c0d3a2c58918892a5aa494db6c75",
  issue_number: 94,
  body: "..."
})

close_issue({
  repo_id: "sha256:a265796360c3b1b8700b5682ced5f6b044a2c0d3a2c58918892a5aa494db6c75",
  issue_number: 94
})

create

curl -X POST \
  http://localhost:10003/api/repos/sha256:a265796360c3b1b8700b5682ced5f6b044a2c0d3a2c58918892a5aa494db6c75/issues \
  -H "Content-Type: application/json" \
  -H "Authorization: MSign handle=\"...\" ts=... sig=\"...\"" \
  -d '{
    "title": "...",
    "body": "...",
    "labels": ["bug"],
    "symbol_anchors": ["path/to/file.py::Symbol"]
  }'

read

# get one issue
curl http://localhost:10003/api/repos/sha256:a265796360c3b1b8700b5682ced5f6b044a2c0d3a2c58918892a5aa494db6c75/issues/94

# list open issues
curl "http://localhost:10003/api/repos/sha256:a265796360c3b1b8700b5682ced5f6b044a2c0d3a2c58918892a5aa494db6c75/issues?state=open"

update

curl -X PATCH \
  http://localhost:10003/api/repos/sha256:a265796360c3b1b8700b5682ced5f6b044a2c0d3a2c58918892a5aa494db6c75/issues/94 \
  -H "Content-Type: application/json" \
  -H "Authorization: MSign handle=\"...\" ts=... sig=\"...\"" \
  -d '{"title": "...", "body": "..."}'

comment

curl -X POST \
  http://localhost:10003/api/repos/sha256:a265796360c3b1b8700b5682ced5f6b044a2c0d3a2c58918892a5aa494db6c75/issues/94/comments \
  -H "Content-Type: application/json" \
  -H "Authorization: MSign handle=\"...\" ts=... sig=\"...\"" \
  -d '{"body": "Fixed in <sha>"}'

curl -X POST \
  http://localhost:10003/api/repos/sha256:a265796360c3b1b8700b5682ced5f6b044a2c0d3a2c58918892a5aa494db6c75/issues/94/close \
  -H "Authorization: MSign handle=\"...\" ts=... sig=\"...\""