Document worker secret verification

src/server/web/api/worker.rs

@@ -167,7 +167,7 @@ pub async fn post_api_worker_status(
     let (work, abort_work) = {
         let mut guard = workers.lock().unwrap();
         guard.clean();
-        if !guard.verify(&name, &request.secret) {
+        if !guard.verify_secret(&name, &request.secret) {
             return Ok((StatusCode::UNAUTHORIZED, "invalid secret").into_response());
         }
         guard.update(

src/server/workers.rs

@@ -47,9 +47,15 @@ impl Workers {
         self
     }
 
-    pub fn verify(&self, name: &str, secret: &str) -> bool {
+    pub fn verify_secret(&self, name: &str, secret: &str) -> bool {
-        let Some(worker) = self.workers.get(name) else { return true; };
+        if let Some(worker) = self.workers.get(name) {
             worker.secret == secret
+        } else {
+            // The per-worker secret exists to prevent two workers from using
+            // the same name at the same time (likely a misconfiguration). Since
+            // we don't know a worker under this name yet, any secret is valid.
+            true
+        }
     }
 
     pub fn update(&mut self, name: String, info: WorkerInfo) {