Events endpoints don't require auth when PREFECT_SERVER_API_AUTH_STRING is set

[willhcr]

Bug summary

Steps:

1. Set PREFECT_SERVER_API_AUTH_STRING
2. Run prefect server: prefect server start
3. Confirm credentials are required to view the UI or access the API
4. Run prefect events stream

Expected outcome:

Without setting PREFECT_API_AUTH_STRING I expect some kind of 401 error.

Actual outcome:

Displays events from the running server without authentication.

Version info

Version:             3.2.14
API version:         0.8.4
Python version:      3.12.9
Git commit:          efcde6dc
Built:               Fri, Mar 21, 2025 5:28 PM
OS/Arch:             linux/x86_64
Profile:             ephemeral
Server type:         server
Pydantic version:    2.10.6
Integrations:
  prefect-azure:     0.4.2

Additional context

It appears the API auth_string middleware only affects http and not websockets.

[zzstoatzz]

hi @willhcr - thanks for the issue!

Without setting PREFECT_API_AUTH_STRING I expect some kind of 401 error.

agree! we should have this and will add it