Problem
The frontier seed command fails with unauthenticated: not authenticated when targeting the ConnectRPC server (port 8002).
Current behavior
The seed command relied on the identity proxy header (X-Frontier-Email) for authentication. This header is essentially a backdoor — the legacy gRPC server had an interceptor (EnrichCtxWithPassthroughEmail) that trusted it, but the ConnectRPC server does not (and should not).
Even passing a valid session cookie fails:
$ frontier seed -H "Cookie:sid=<valid-session>"
failed to create custom permissions: failed to create custom permission: unauthenticated: not authenticated
Meanwhile, other CLI commands like frontier preferences get work fine with the same cookie on the ConnectRPC server.
Root cause
- Identity proxy header not supported on ConnectRPC server (by design — it's a security backdoor marked as deprecated in the codebase)
- AdminService endpoints (
CreatePermission, CreateRole) used by seed may have a different authentication path that doesn't work with session cookies on ConnectRPC
- The seed command auto-constructs the header as
<key>:<sampleSeedEmail> instead of accepting proper key:value auth headers
Expected behavior
The seed command should authenticate using proper mechanisms (session cookie, service user credentials, or API token) — not the identity proxy header.
Suggested fix
- Remove the identity proxy header dependency from the seed command
- Change
-H flag to accept key:value format (like other CLI commands) for proper auth headers (e.g., Cookie:sid=...)
- Investigate why AdminService endpoints reject valid session cookies on ConnectRPC
- Remove the
-c config file flag dependency (no longer needed if not reading identity_proxy_header)
Related
Problem
The
frontier seedcommand fails withunauthenticated: not authenticatedwhen targeting the ConnectRPC server (port 8002).Current behavior
The seed command relied on the identity proxy header (
X-Frontier-Email) for authentication. This header is essentially a backdoor — the legacy gRPC server had an interceptor (EnrichCtxWithPassthroughEmail) that trusted it, but the ConnectRPC server does not (and should not).Even passing a valid session cookie fails:
Meanwhile, other CLI commands like
frontier preferences getwork fine with the same cookie on the ConnectRPC server.Root cause
CreatePermission,CreateRole) used by seed may have a different authentication path that doesn't work with session cookies on ConnectRPC<key>:<sampleSeedEmail>instead of accepting properkey:valueauth headersExpected behavior
The seed command should authenticate using proper mechanisms (session cookie, service user credentials, or API token) — not the identity proxy header.
Suggested fix
-Hflag to acceptkey:valueformat (like other CLI commands) for proper auth headers (e.g.,Cookie:sid=...)-cconfig file flag dependency (no longer needed if not readingidentity_proxy_header)Related
EnrichCtxWithPassthroughEmail) exists only in the legacy gRPC server and is marked deprecated