feat(accounts): Validate caller IA S3 keys on OTP service endpoints to restrict access to authorized Lenny instances

[mekarpeles]

Summary

The OTP service endpoints (POST /account/otp/issue and POST /account/otp/redeem) are used by Lenny to implement patron passwordless login. Lenny already sends Authorization: LOW <access>:<secret> headers on every OTP call (via ol_auth_headers()), but OL currently ignores these headers.

This means any caller — including rogue or unconfigured Lenny instances — can use OL's OTP service to send unsolicited OTP emails to any address.

Proposed Change

Add S3 key validation at the start of both OTP handler methods. Use the existing InternetArchiveAccount.s3auth() to validate the caller's IA credentials before processing the request.

Required: Authorization: LOW <access>:<secret> header with valid IA S3 keys.

If the header is missing or the keys are invalid, return {"error": "unauthorized"} (HTTP 403).

This ensures that only Lenny instances that have been configured with valid IA S3 credentials (i.e., linked to an IA/OL account via make ol-login) can trigger OTP emails.

Files to Change

• openlibrary/plugins/upstream/account.py — otp_service_issue.POST() and otp_service_redeem.POST()
• (optional) Extract _parse_s3_auth_header() as a module-level helper (same pattern already exists on account_anonymize._parse_auth_header())

Companion Issue

• Lenny: Add optional IA auth plugin for patron borrow requests — the Lenny side that validates patron S3 keys at borrow time

Related

• PR feat(accounts): add OTP (passwordless) login support via xauthn #12681 — OTP login via xauthn (new /account/login/otp/* endpoints, unaffected by this change)
• PR TOTP auth #11288 — TOTP auth (merged)

[mekarpeles]

⚠️ Contributors, this issue will be ready to work on once:

• Triage — maintainers will add Priority: * and Lead: @* to replace Needs: Triage and Needs: Lead

---

Context

• otp_service_issue.POST() (account.py:425) and otp_service_redeem.POST() (account.py:454) — confirmed: neither handler reads or validates the Authorization header.
• _parse_auth_header() (account.py:1272) already exists as an instance method on account_anonymization_json. Extracting it as a module-level _parse_s3_auth_header() is the correct refactor path.
• InternetArchiveAccount.s3auth() (account.py:1255) is the exact call used by account_anonymization_json for the same validation pattern — confirmed available and ready to reuse.
• PR feat(accounts): add OTP (passwordless) login support via xauthn #12681 (open) adds new /account/login/otp/* xauthn endpoints. These are distinct from /account/otp/issue and /account/otp/redeem addressed here — the two are not redundant and both need attention.

---

Issue Assessment

Open questions

• The issue specifies returning {"error": "unauthorized"} with HTTP 403 on auth failure, but the existing account_anonymization_json pattern raises 401 Unauthorized for missing/invalid credentials (line 1240) and 404 Not Found for invalid S3 keys (line 1257). Should the OTP endpoints align with those status codes, or deliberately differ?
• What is the error response behavior when InternetArchiveAccount.s3auth() itself returns an error (e.g., IA S3 service unavailable)? account_anonymization_json propagates a 503 for MissingKeyError — should the OTP handlers do the same?
• Are there existing tests for the OTP service endpoints that need to cover the new auth path?

Action items

• Clarify intended HTTP status codes for auth failure (401 vs. 403) to match or intentionally diverge from the existing pattern in account_anonymization_json
• Confirm whether the _parse_s3_auth_header() extraction is in scope for this issue or a follow-up

---

Full triage checklist (maintainers / Pam)

• Triage — correct labels applied or removed: Needs: Breakdown, Needs: Investigation, Needs: Design, Needs: Staff Decision, Needs: Staff / Admin, Good First Issue, Blocked, Blocker
• Problem / opportunity — problem is clear, audience identified, actionable
• Scope — issue is well-scoped; targets two specific handler methods
• Justification — unguarded endpoint can be used to send unsolicited OTP emails to arbitrary addresses
• Success & testing criteria — no explicit test criteria or test plan stated
• Proposal & breakdown — specific files, methods, and existing pattern identified
• If bug: environment & repro steps — N/A (security hardening, not a regression report)
• Risks, concerns, open questions — HTTP status code inconsistency and error propagation behavior noted above
• Pam context — relevant code confirmed by reading account.py and model.py; PR feat(accounts): add OTP (passwordless) login support via xauthn #12681 reviewed; no conflicting or duplicate issue found
• References — Lenny repo and related PRs linked

Note

This comment was automatically generated by Pam, Open Library's Project AI Manager, on behalf of @mekarpeles. Pam is designed to provide status visibility, perform basic project management functions and relevant codebase research, and provide actionable feedback so contributors aren't left waiting.

[mekarpeles]

PR opened: #12841