Skip to content

Seed command fails with ConnectRPC server - needs proper authentication #1393

New issue
New issue
Open
Open
Seed command fails with ConnectRPC server - needs proper authentication#1393
Labels
bugSomething isn't working
@whoAbhishekSah

Description

@whoAbhishekSah
whoAbhishekSah
opened on Feb 18, 2026

Problem

The frontier seed command fails with unauthenticated: not authenticated when targeting the ConnectRPC server (port 8002).

Current behavior

The seed command relied on the identity proxy header (X-Frontier-Email) for authentication. This header is essentially a backdoor — the legacy gRPC server had an interceptor (EnrichCtxWithPassthroughEmail) that trusted it, but the ConnectRPC server does not (and should not).

Even passing a valid session cookie fails:

$ frontier seed -H "Cookie:sid=<valid-session>"
failed to create custom permissions: failed to create custom permission: unauthenticated: not authenticated

Meanwhile, other CLI commands like frontier preferences get work fine with the same cookie on the ConnectRPC server.

Root cause

  1. Identity proxy header not supported on ConnectRPC server (by design — it's a security backdoor marked as deprecated in the codebase)
  2. AdminService endpoints (CreatePermission, CreateRole) used by seed may have a different authentication path that doesn't work with session cookies on ConnectRPC
  3. The seed command auto-constructs the header as <key>:<sampleSeedEmail> instead of accepting proper key:value auth headers

Expected behavior

The seed command should authenticate using proper mechanisms (session cookie, service user credentials, or API token) — not the identity proxy header.

Suggested fix

  • Remove the identity proxy header dependency from the seed command
  • Change -H flag to accept key:value format (like other CLI commands) for proper auth headers (e.g., Cookie:sid=...)
  • Investigate why AdminService endpoints reject valid session cookies on ConnectRPC
  • Remove the -c config file flag dependency (no longer needed if not reading identity_proxy_header)

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions