Skip to content

Make Modal gateway auth optional until configured#467

Merged
MaxGhenis merged 1 commit intomainfrom
modal-gateway-auth-optional
Apr 26, 2026
Merged

Make Modal gateway auth optional until configured#467
MaxGhenis merged 1 commit intomainfrom
modal-gateway-auth-optional

Conversation

@MaxGhenis
Copy link
Copy Markdown
Contributor

@MaxGhenis MaxGhenis commented Apr 26, 2026

Summary

  • Preserve the current public-gateway behavior when no gateway auth issuer/audience is configured.
  • Keep failing closed for partial auth config, or for missing auth config when GATEWAY_AUTH_REQUIRED=1.
  • Sync a policyengine-gateway-auth Modal secret during deploy and attach it to the gateway app, so auth can be enabled by setting GATEWAY_AUTH_ISSUER, GATEWAY_AUTH_AUDIENCE, and GATEWAY_AUTH_REQUIRED.

Why

#466 deployed to beta, but beta integration failed because the gateway started enforcing auth without any GATEWAY_AUTH_* config in this repo. Production deploy was skipped, so production is still on the older unauthenticated gateway. This keeps the deployment unblocked while leaving a clean switch for real auth enforcement once credentials are configured.

Testing

  • env -u UV_FROZEN uv run pytest tests/gateway/test_auth.py tests/gateway/test_endpoints.py tests/test_modal_scripts.py -q
  • env -u UV_FROZEN uv run pytest -q
  • env -u UV_FROZEN uv run --with ruff ruff format --check src

@MaxGhenis MaxGhenis merged commit 2ab14ae into main Apr 26, 2026
4 checks passed
@MaxGhenis MaxGhenis deleted the modal-gateway-auth-optional branch April 26, 2026 14:42
@MaxGhenis MaxGhenis mentioned this pull request Apr 26, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MaxGhenis