consolidate token validation logic

andrewsykim · andrewsykim · commit df636a98eb67 · 2025-11-11T17:19:19.000Z
Signed-off-by: Andrew Sy Kim &lt;andrewsy@google.com&gt;
diff --git a/src/ray/rpc/authentication/authentication_token_loader.cc b/src/ray/rpc/authentication/authentication_token_loader.cc
@@ -90,7 +90,7 @@ bool AuthenticationTokenLoader::ValidateToken(const AuthenticationToken &provide
     return is_allowed;
   }
 
-  return false;
+  return true;
 }
 
 std::optional<AuthenticationToken> AuthenticationTokenLoader::GetToken() {
diff --git a/src/ray/rpc/server_call.h b/src/ray/rpc/server_call.h
@@ -346,43 +346,27 @@ class ServerCallImpl : public ServerCall {
   bool ValidateAuthenticationToken() {
     AuthenticationMode auth_mode = GetAuthenticationMode();
 
+    if (auth_mode == AuthenticationMode::DISABLED) {
+      return true;
+    }
+
     const auto &metadata = context_.client_metadata();
     auto it = metadata.find(kAuthTokenKey);
 
     if (auth_mode == AuthenticationMode::TOKEN) {
       if (!auth_token_.has_value() || auth_token_->empty()) {
         return true;  // No auth required on server side
       }
-      if (it == metadata.end()) {
-        RAY_LOG(WARNING)
-            << "Missing authorization header in request for token auth mode!";
-        return false;
-      }
-      const std::string_view header(it->second.data(), it->second.length());
-      AuthenticationToken provided_token = AuthenticationToken::FromMetadata(header);
-      if (!auth_token_->Equals(provided_token)) {
-        RAY_LOG(WARNING) << "Invalid bearer token in request!";
-        return false;
-      }
-      return true;
     }
 
-    if (auth_mode == AuthenticationMode::K8S) {
-      if (it == metadata.end()) {
-        RAY_LOG(WARNING) << "Missing authorization header in request for k8s auth mode!";
-        return false;
-      }
-      const std::string_view header(it->second.data(), it->second.length());
-      AuthenticationToken provided_token = AuthenticationToken::FromMetadata(header);
-      if (provided_token.empty()) {
-        RAY_LOG(WARNING) << "Empty bearer token in request for k8s auth mode!";
-        return false;
-      }
-      return ray::rpc::AuthenticationTokenLoader::instance().ValidateToken(
-          provided_token);
+    if (it == metadata.end()) {
+      RAY_LOG(WARNING) << "Missing authorization header in request for token auth mode!";
+      return false;
     }
 
-    return true;
+    const std::string_view header(it->second.data(), it->second.length());
+    AuthenticationToken provided_token = AuthenticationToken::FromMetadata(header);
+    return ray::rpc::AuthenticationTokenLoader::instance().ValidateToken(provided_token);
   }
 
   /// Log the duration this query used

Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,7 @@ bool AuthenticationTokenLoader::ValidateToken(const AuthenticationToken &provide`
`90`	`90`	`return is_allowed;`
`91`	`91`	`}`
`92`	`92`
`93`		`- return false;`
	`93`	`+ return true;`
`94`	`94`	`}`
`95`	`95`
`96`	`96`	`std::optional<AuthenticationToken> AuthenticationTokenLoader::GetToken() {`