Fix admin token env-var fallback shadowed by empty default

Leechael · Leechael · commit 0d4d9f9226c9 · 2026-05-12T11:19:59.000+08:00
The baked-in gateway.toml shipped `api_token = ""`, which figment merges
into AdminConfig as `Some("")`. `AdminAuth::from_config` only triggered
the `DSTACK_GATEWAY_ADMIN_TOKEN` env-var fallback when `api_token` was
`None`, so the env var was never read and admin startup always bailed
with "no API token is configured" even when the env var was set.

Drop the empty default from the baked toml and treat blank api_token
as unset so the env-var fallback fires. Add a regression test covering
both empty-string and whitespace-only config values.
diff --git a/gateway/gateway.toml b/gateway/gateway.toml
@@ -25,7 +25,9 @@ timeout = "5s"
 enabled = false
 address = "127.0.0.1:8011"
 # Required when admin.enabled = true, unless DSTACK_GATEWAY_ADMIN_TOKEN is set.
-api_token = ""
+# Leave unset (do not assign ""): an empty string here would shadow the env-var
+# fallback in AdminAuth::from_config.
+# api_token = ""
 # Development/testing escape hatch only. Never enable this on a reachable admin interface.
 insecure_no_auth = false
 
diff --git a/gateway/src/admin_auth.rs b/gateway/src/admin_auth.rs
@@ -27,6 +27,7 @@ impl AdminAuth {
         let token = config
             .api_token
             .clone()
+            .filter(|token| !token.trim().is_empty())
             .or_else(|| std::env::var(ENV_ADMIN_TOKEN).ok())
             .map(|token| token.trim().to_string())
             .filter(|token| !token.is_empty());
@@ -113,4 +114,30 @@ mod tests {
         assert!(auth.verify(None));
         assert!(auth.verify(Some("Bearer anything")));
     }
+
+    #[test]
+    fn blank_config_token_falls_back_to_env() {
+        // Single test exercising both empty and whitespace api_token to avoid
+        // parallel tests racing on the process-wide DSTACK_GATEWAY_ADMIN_TOKEN.
+        //
+        // Reproduces the regression where api_token = "" in the baked default
+        // gateway.toml shadowed the env-var fallback.
+        for blank in ["", "   "] {
+            let token = "env-token-value";
+            std::env::set_var(ENV_ADMIN_TOKEN, token);
+            let auth = AdminAuth::from_config(&AdminConfig {
+                enabled: true,
+                api_token: Some(blank.to_string()),
+                insecure_no_auth: false,
+            })
+            .expect("blank config token must defer to env-var");
+            std::env::remove_var(ENV_ADMIN_TOKEN);
+
+            assert!(
+                auth.verify(Some(&format!("Bearer {token}"))),
+                "expected fallback to env-var when api_token={blank:?}"
+            );
+            assert!(!auth.verify(Some("Bearer wrong")));
+        }
+    }
 }
