(2.12) [FIXED] Leaf node token auth (#7452)

neilalexander · web-flow · commit e3b6a7515a77 · 2025-10-21T23:08:38.000+01:00
diff --git a/server/auth.go b/server/auth.go
@@ -1123,7 +1123,8 @@ func (s *Server) processClientOrLeafAuthentication(c *client, opts *Options) (au
 		return ok
 	}
 
-	if c.kind == CLIENT {
+	// Check for the use of simple auth.
+	if c.kind == CLIENT || c.kind == LEAF {
 		if proxyRequired = opts.ProxyRequired; proxyRequired && !trustedProxy {
 			return setProxyAuthError(ErrAuthProxyRequired)
 		}
diff --git a/server/leafnode.go b/server/leafnode.go
@@ -1049,17 +1049,22 @@ func (c *client) sendLeafConnect(clusterName string, headers bool) error {
 	// In addition, and this is to allow auth callout, set user/password or
 	// token if applicable.
 	if userInfo := c.leaf.remote.curURL.User; userInfo != nil {
-		// For backward compatibility, if only username is provided, set both
-		// Token and User, not just Token.
 		cinfo.User = userInfo.Username()
 		var ok bool
 		cinfo.Pass, ok = userInfo.Password()
+		// For backward compatibility, if only username is provided, set both
+		// Token and User, not just Token.
 		if !ok {
 			cinfo.Token = cinfo.User
 		}
 	} else if c.leaf.remote.username != _EMPTY_ {
 		cinfo.User = c.leaf.remote.username
 		cinfo.Pass = c.leaf.remote.password
+		// For backward compatibility, if only username is provided, set both
+		// Token and User, not just Token.
+		if cinfo.Pass == _EMPTY_ {
+			cinfo.Token = cinfo.User
+		}
 	}
 	b, err := json.Marshal(cinfo)
 	if err != nil {
diff --git a/server/leafnode_test.go b/server/leafnode_test.go
@@ -10830,3 +10830,37 @@ func TestLeafNodeConfigureWriteDeadline(t *testing.T) {
 		require_Equal(t, r.out.wdl, 6*time.Second)
 	})
 }
+
+// https://github.com/nats-io/nats-server/issues/7441
+func TestLeafNodesBasicTokenAuth(t *testing.T) {
+	hubConf := createConfFile(t, []byte(`
+		server_name: "HUB"
+		listen: "127.0.0.1:-1"
+		authorization {
+			token: secret
+		}
+		leafnodes {
+			listen: "127.0.0.1:-1"
+		}
+	`))
+	hub, ohub := RunServerWithConfig(hubConf)
+	defer hub.Shutdown()
+
+	port := ohub.LeafNode.Port
+	leafTmpl := `
+		server_name: "LEAF"
+		listen: "127.0.0.1:-1"
+		leafnodes {
+			remotes: [
+				{ url: "nats://secret@localhost:%d" }
+			]
+		}
+	`
+	leafConf := createConfFile(t, fmt.Appendf(nil, leafTmpl, port))
+	leaf, _ := RunServerWithConfig(leafConf)
+	defer leaf.Shutdown()
+
+	// Verify that we have only 1 leaf
+	checkLeafNodeConnected(t, hub)
+	checkLeafNodeConnected(t, leaf)
+}

Original file line number	Diff line number	Diff line change
`@@ -1123,7 +1123,8 @@ func (s Server) processClientOrLeafAuthentication(c client, opts *Options) (au`
`1123`	`1123`	`return ok`
`1124`	`1124`	`}`
`1125`	`1125`
`1126`		`- if c.kind == CLIENT {`
	`1126`	`+ // Check for the use of simple auth.`
	`1127`	`+ if c.kind == CLIENT \|\| c.kind == LEAF {`
`1127`	`1128`	`if proxyRequired = opts.ProxyRequired; proxyRequired && !trustedProxy {`
`1128`	`1129`	`return setProxyAuthError(ErrAuthProxyRequired)`
`1129`	`1130`	`}`