fix(auth): synthesize AuthInfo(kind="bearer") in _build_request_context#577
Merged
fix(auth): synthesize AuthInfo(kind="bearer") in _build_request_context#577
Conversation
…xt for bearer flows Completes the bearer-adopter typed surface started by #574. PR #574 made ctx.auth_principal populate from the BearerTokenAuthMiddleware ContextVar; this addresses the deeper structural gap — ctx.auth_info itself was None on bearer flows, so adopters couldn't branch on ctx.auth_info.kind to discriminate signed-request vs bearer. _build_request_context now synthesizes AuthInfo(kind="bearer", principal=<from current_principal>, credential=None) when no AuthInfo is supplied and the bearer ContextVar is populated. credential=None is passed explicitly to bypass the AuthInfo.__post_init__ flat-field synthesis path and its accompanying DeprecationWarning (see context.py:396-426: the sentinel default fires synthesis, an explicit None does not). The synthesized AuthInfo carries only kind + principal — bearer tokens are opaque to the SDK; adopters who want richer data (key_id, scopes) can write their own context_factory. User-visible behavior shift for bearer adopters: ctx.auth_info: None → AuthInfo(kind="bearer", ...). Adopter code that gated on `if ctx.auth_info is None` to detect bearer flow now needs `ctx.auth_info.kind == "bearer"` instead — mirrors the #574 callout style. Closes #576
bokelley
force-pushed
the
bokelley/issue-576-bearer-auth-info
branch
from
0ce47f3 to
10927fe
Compare
This was referenced May 4, 2026
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #576
Summary
Completes the bearer-adopter typed surface started by #574. PR #574 made
ctx.auth_principalpopulate from theBearerTokenAuthMiddlewareContextVar; this PR addresses the deeper structural gap —ctx.auth_infoitself wasNoneon bearer flows, so adopters couldn't branch onctx.auth_info.kindto discriminate signed-request vs bearer.Mechanic
_build_request_contextnow synthesizesAuthInfo(kind="bearer", principal=<from current_principal>, credential=None)when noAuthInfois supplied and the bearer ContextVar is populated.credential=Noneis passed explicitly to bypass theAuthInfo.__post_init__flat-field synthesis path and its accompanyingDeprecationWarning— see context.py:396-426: the sentinel default fires synthesis, an explicitNonedoes not. This makes the synthesis future-proof past the 4.5.0 synthesis removal.The synthesized
AuthInfocarries onlykind+principal— bearer tokens are opaque to the SDK, so we don't knowkey_id/scopes. Adopters who want richer data can write their owncontext_factory.Behavior shift
Bearer adopters:
ctx.auth_info: None → AuthInfo(kind="bearer", ...). Adopter code that gated onif ctx.auth_info is Noneto detect bearer flow now needsctx.auth_info.kind == "bearer"instead. Mirrors the #574 callout style.Test plan
test_build_request_context_falls_back_to_bearer_context_varto assertctx.auth_info.kind == "bearer"andctx.auth_info.principal == bearer_principaltest_build_request_context_bearer_auth_info_does_not_warnpinning the no-DeprecationWarningbehavior (the spike's "(b) is clean" claim)test_build_request_context_auth_info_takes_precedence_over_bearer_varstill passes — explicitAuthInfowins over the bearer fallbackpytest tests/— 4168 passed, 24 skipped, 1 xfailedruff check src/,mypy src/adcp/— clean