fix(auth): prioritize OAuth credentials over anonymous fallback#1089
Conversation
Move the anonymous fallback to the end of the authentication flow so OAuth credentials are checked before falling back to anonymous access. Anonymous-compatible commands could return early before checking OAuth credentials, causing authenticated users to make anonymous requests and preventing access to private resources. Add unit tests for the authentication flow.
|
/gcbrun |
|
@erdalsivri Could you take a quick look at this one? I think it is fine but would like an expert's opinion. |
| return | ||
| if self._authenticate_with_oauth_creds(): | ||
| return | ||
| if self._authenticate_anonymously(): |
There was a problem hiding this comment.
Good catch! If I understand correctly, we call the legacy auth method first, which returns true even if there is no token but the command supports anonymous. Now we do that check last so OAuth token will be used (if exists) for all commands.
There was a problem hiding this comment.
Yes, exactly. Previously, the legacy auth and anonymous fallback were handled inside the same method (_authenticate_with_legacy_apikey). Because it checked them together, anonymous-friendly commands could return True early, blocking OAuth from being evaluated.
Now the two are completely separated, OAuth gets checked first, and anonymous access is a fallback at a late stage.
|
Great! Looks like this will be ready to merge once the formatting is fixed. |
8e5d2e8 to
3b49ec7
Compare
|
/gcbrun |
Summary
This PR fixes an authentication flow issue where OAuth credentials could be skipped for commands that also support anonymous access.
Issue
The authentication flow checked for anonymous-compatible commands before attempting OAuth authentication.
As a result, commands such as:
could run anonymously even when the user was authenticated via
kaggle auth login. This caused requests for private resources to fail with403 Forbiddenor404 Not Founderrors.Fix
Behavior
Before
After
Authentication Order
Before:
After: