refactor(auth): consolidate PUBLIC_MODE and mutation guards into reusable helpers (#909)

* refactor(auth): consolidate PUBLIC_MODE and mutation guards into reusable helpers * fix: fix websocket test override
2026-04-14 17:26:55 +00:00 · 2026-03-12 10:51:26 -05:00
parent cf6e867cf1
commit 4ae56b730a
15 changed files with 96 additions and 86 deletions
--- a/server/tests/conftest.py
+++ b/server/tests/conftest.py
@@ -437,6 +437,8 @@ async def ws_manager_in_memory(monkeypatch):

    try:
        fastapi_app.dependency_overrides[auth.current_user_optional] = lambda: None
+        # current_user_optional_if_public_mode is NOT overridden here so the real
+        # implementation runs and enforces the PUBLIC_MODE check during tests.
    except Exception:
        pass

@@ -491,37 +493,39 @@ async def authenticated_client2():
@asynccontextmanager
 async def authenticated_client_ctx():
    from reflector.app import app
-    from reflector.auth import current_user, current_user_optional
+    from reflector.auth import (
+        current_user,
+        current_user_optional,
+        current_user_optional_if_public_mode,
+    )

-    app.dependency_overrides[current_user] = lambda: {
-        "sub": "randomuserid",
-        "email": "test@mail.com",
-    }
-    app.dependency_overrides[current_user_optional] = lambda: {
-        "sub": "randomuserid",
-        "email": "test@mail.com",
-    }
+    _user = lambda: {"sub": "randomuserid", "email": "test@mail.com"}
+    app.dependency_overrides[current_user] = _user
+    app.dependency_overrides[current_user_optional] = _user
+    app.dependency_overrides[current_user_optional_if_public_mode] = _user
    yield
    del app.dependency_overrides[current_user]
    del app.dependency_overrides[current_user_optional]
+    del app.dependency_overrides[current_user_optional_if_public_mode]


@asynccontextmanager
 async def authenticated_client2_ctx():
    from reflector.app import app
-    from reflector.auth import current_user, current_user_optional
+    from reflector.auth import (
+        current_user,
+        current_user_optional,
+        current_user_optional_if_public_mode,
+    )

-    app.dependency_overrides[current_user] = lambda: {
-        "sub": "randomuserid2",
-        "email": "test@mail.com",
-    }
-    app.dependency_overrides[current_user_optional] = lambda: {
-        "sub": "randomuserid2",
-        "email": "test@mail.com",
-    }
+    _user = lambda: {"sub": "randomuserid2", "email": "test@mail.com"}
+    app.dependency_overrides[current_user] = _user
+    app.dependency_overrides[current_user_optional] = _user
+    app.dependency_overrides[current_user_optional_if_public_mode] = _user
    yield
    del app.dependency_overrides[current_user]
    del app.dependency_overrides[current_user_optional]
+    del app.dependency_overrides[current_user_optional_if_public_mode]


@pytest.fixture(scope="session")
--- a/server/tests/test_user_websocket_auth.py
+++ b/server/tests/test_user_websocket_auth.py
@@ -141,33 +141,19 @@ async def test_user_ws_accepts_valid_token_and_receives_events(appserver_ws_user
        await asyncio.sleep(0.2)

        # Emit an event to the user's room via a standard HTTP action
+        # Use a real HTTP request to the server with the JWT token so that
+        # current_user_optional_if_public_mode is exercised without dependency overrides
        from httpx import AsyncClient

-        from reflector.app import app
-        from reflector.auth import current_user, current_user_optional
-
-        # Override auth dependencies so HTTP request is performed as the same user
-        # Use the internal user.id (not the Authentik UID)
-        app.dependency_overrides[current_user] = lambda: {
-            "sub": user.id,
-            "email": "user-abc@example.com",
-        }
-        app.dependency_overrides[current_user_optional] = lambda: {
-            "sub": user.id,
-            "email": "user-abc@example.com",
-        }
-
-        # Use in-memory client (global singleton makes it share ws_manager)
-        async with AsyncClient(app=app, base_url=f"http://{host}:{port}/v1") as ac:
-            # Create a transcript as this user so that the server publishes TRANSCRIPT_CREATED to user room
-            resp = await ac.post("/transcripts", json={"name": "WS Test"})
+        async with AsyncClient(base_url=f"http://{host}:{port}/v1") as ac:
+            resp = await ac.post(
+                "/transcripts",
+                json={"name": "WS Test"},
+                headers={"Authorization": f"Bearer {token}"},
+            )
            assert resp.status_code == 200

        # Receive the published event
        msg = await ws.receive_json()
        assert msg["event"] == "TRANSCRIPT_CREATED"
        assert "id" in msg["data"]
-
-        # Clean overrides
-        del app.dependency_overrides[current_user]
-        del app.dependency_overrides[current_user_optional]