ivooskamp/clearview
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

auth: gate existing routers behind require_user, wire auth + users routers

Browse Source
This commit is contained in:
Ivo Oskamp 2026-05-28 16:05:04 +02:00
parent e993e8aa59
commit 17d91680d5
2 changed files with 39 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
containers/clearview/src/clearview_app/main.py
View File

@ -8,13 +8,16 @@ from __future__ import annotations
from pathlib import Path
from fastapi import FastAPI
from fastapi import Depends, FastAPI
from fastapi.responses import FileResponse
from fastapi.staticfiles import StaticFiles
from .api_jobs import router as jobs_router
from .api_onboarding import router as onboarding_router
from .api_tenants import router as tenants_router
from .auth.dependencies import require_user
from .auth.router import router as auth_router
from .auth.users_router import router as users_router
from .db_migrate import run_migrations
from .version import display_version
from .worker import ScanWorker
@ -47,9 +50,17 @@ def version() -> dict[str, str]:
return {"version": display_version()}
app.include_router(tenants_router)
app.include_router(jobs_router)
app.include_router(onboarding_router)
# Public auth endpoints (login / setup / setup-required) — no dependency.
app.include_router(auth_router)
# Admin endpoints — already enforce require_admin internally.
app.include_router(users_router)
# Existing routers gated by an authenticated session.
_protected = [Depends(require_user)]
app.include_router(tenants_router, dependencies=_protected)
app.include_router(jobs_router, dependencies=_protected)
app.include_router(onboarding_router, dependencies=_protected)
# ---------------------------------------------------------------------------

24
containers/clearview/tests/test_existing_routes_protected.py Normal file
View File

@ -0,0 +1,24 @@
"""Smoke check that existing routers refuse anonymous requests once gated."""
from fastapi import Depends, FastAPI
from fastapi.testclient import TestClient
from sqlalchemy.orm import sessionmaker
from clearview_app.api_tenants import router as tenants_router
from clearview_app.auth.dependencies import get_db, require_user
def test_tenants_route_requires_auth(db_engine):
Session = sessionmaker(bind=db_engine, autoflush=False, autocommit=False, future=True)
def override_get_db():
s = Session()
try:
yield s
finally:
s.close()
app = FastAPI()
app.include_router(tenants_router, dependencies=[Depends(require_user)])
app.dependency_overrides[get_db] = override_get_db
assert TestClient(app).get("/api/tenants").status_code == 401