From 17d91680d51aa39705d38221be072b82c66a348d Mon Sep 17 00:00:00 2001
From: Ivo Oskamp <ivooskamp@oskamp.info>
Date: Thu, 28 May 2026 16:05:04 +0200
Subject: [PATCH] auth: gate existing routers behind require_user, wire auth +
 users routers

---
 .../clearview/src/clearview_app/main.py       | 19 +++++++++++----
 .../tests/test_existing_routes_protected.py   | 24 +++++++++++++++++++
 2 files changed, 39 insertions(+), 4 deletions(-)
 create mode 100644 containers/clearview/tests/test_existing_routes_protected.py

diff --git a/containers/clearview/src/clearview_app/main.py b/containers/clearview/src/clearview_app/main.py
index bb1da71..28fa6be 100644
--- a/containers/clearview/src/clearview_app/main.py
+++ b/containers/clearview/src/clearview_app/main.py
@@ -8,13 +8,16 @@ from __future__ import annotations
 
 from pathlib import Path
 
-from fastapi import FastAPI
+from fastapi import Depends, FastAPI
 from fastapi.responses import FileResponse
 from fastapi.staticfiles import StaticFiles
 
 from .api_jobs import router as jobs_router
 from .api_onboarding import router as onboarding_router
 from .api_tenants import router as tenants_router
+from .auth.dependencies import require_user
+from .auth.router import router as auth_router
+from .auth.users_router import router as users_router
 from .db_migrate import run_migrations
 from .version import display_version
 from .worker import ScanWorker
@@ -47,9 +50,17 @@ def version() -> dict[str, str]:
     return {"version": display_version()}
 
 
-app.include_router(tenants_router)
-app.include_router(jobs_router)
-app.include_router(onboarding_router)
+# Public auth endpoints (login / setup / setup-required) — no dependency.
+app.include_router(auth_router)
+
+# Admin endpoints — already enforce require_admin internally.
+app.include_router(users_router)
+
+# Existing routers gated by an authenticated session.
+_protected = [Depends(require_user)]
+app.include_router(tenants_router, dependencies=_protected)
+app.include_router(jobs_router, dependencies=_protected)
+app.include_router(onboarding_router, dependencies=_protected)
 
 
 # ---------------------------------------------------------------------------
diff --git a/containers/clearview/tests/test_existing_routes_protected.py b/containers/clearview/tests/test_existing_routes_protected.py
new file mode 100644
index 0000000..415bc1d
--- /dev/null
+++ b/containers/clearview/tests/test_existing_routes_protected.py
@@ -0,0 +1,24 @@
+"""Smoke check that existing routers refuse anonymous requests once gated."""
+from fastapi import Depends, FastAPI
+from fastapi.testclient import TestClient
+from sqlalchemy.orm import sessionmaker
+
+from clearview_app.api_tenants import router as tenants_router
+from clearview_app.auth.dependencies import get_db, require_user
+
+
+def test_tenants_route_requires_auth(db_engine):
+    Session = sessionmaker(bind=db_engine, autoflush=False, autocommit=False, future=True)
+
+    def override_get_db():
+        s = Session()
+        try:
+            yield s
+        finally:
+            s.close()
+
+    app = FastAPI()
+    app.include_router(tenants_router, dependencies=[Depends(require_user)])
+    app.dependency_overrides[get_db] = override_get_db
+
+    assert TestClient(app).get("/api/tenants").status_code == 401