ivooskamp/clearview
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

auth: gate existing routers behind require_user, wire auth + users routers

Browse Source
This commit is contained in:
Ivo Oskamp 2026-05-28 16:05:04 +02:00
parent e993e8aa59
commit 17d91680d5
2 changed files with 39 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
containers/clearview/src/clearview_app/main.py
View File

@ -8,13 +8,16 @@ from __future__ import annotations
from pathlib import Path from pathlib import Path
from fastapi import FastAPI from fastapi import Depends, FastAPI
from fastapi.responses import FileResponse from fastapi.responses import FileResponse
from fastapi.staticfiles import StaticFiles from fastapi.staticfiles import StaticFiles
from .api_jobs import router as jobs_router from .api_jobs import router as jobs_router
from .api_onboarding import router as onboarding_router from .api_onboarding import router as onboarding_router
from .api_tenants import router as tenants_router from .api_tenants import router as tenants_router
from .auth.dependencies import require_user
from .auth.router import router as auth_router
from .auth.users_router import router as users_router
from .db_migrate import run_migrations from .db_migrate import run_migrations
from .version import display_version from .version import display_version
from .worker import ScanWorker from .worker import ScanWorker
@ -47,9 +50,17 @@ def version() -> dict[str, str]:
return {"version": display_version()} return {"version": display_version()}
app.include_router(tenants_router) # Public auth endpoints (login / setup / setup-required) — no dependency.
app.include_router(jobs_router) app.include_router(auth_router)
app.include_router(onboarding_router)
# Admin endpoints — already enforce require_admin internally.
app.include_router(users_router)
# Existing routers gated by an authenticated session.
_protected = [Depends(require_user)]
app.include_router(tenants_router, dependencies=_protected)
app.include_router(jobs_router, dependencies=_protected)
app.include_router(onboarding_router, dependencies=_protected)
# --------------------------------------------------------------------------- # ---------------------------------------------------------------------------

24
containers/clearview/tests/test_existing_routes_protected.py Normal file
View File

@ -0,0 +1,24 @@
"""Smoke check that existing routers refuse anonymous requests once gated."""
from fastapi import Depends, FastAPI
from fastapi.testclient import TestClient
from sqlalchemy.orm import sessionmaker
from clearview_app.api_tenants import router as tenants_router
from clearview_app.auth.dependencies import get_db, require_user
def test_tenants_route_requires_auth(db_engine):
Session = sessionmaker(bind=db_engine, autoflush=False, autocommit=False, future=True)
def override_get_db():
s = Session()
try:
yield s
finally:
s.close()
app = FastAPI()
app.include_router(tenants_router, dependencies=[Depends(require_user)])
app.dependency_overrides[get_db] = override_get_db
assert TestClient(app).get("/api/tenants").status_code == 401