Default-deny auth at the API and UI router level#66505
Open
potiuk wants to merge 1 commit intoapache:mainfrom
Open
Default-deny auth at the API and UI router level#66505potiuk wants to merge 1 commit intoapache:mainfrom
potiuk wants to merge 1 commit intoapache:mainfrom
Conversation
Add `dependencies=[Depends(get_user)]` to `authenticated_router` (parent of every route under `/api/v2` except the explicit no-auth carve-outs `monitor_router`, `version_router`, and the public `auth_router`) and to `ui_router` (every route under `/ui`). Today every authenticated route already declares `GetUserDep` or a `requires_access_*` dependency that itself depends on `get_user`, so this is purely additive — FastAPI deduplicates the dependency via its per-request cache, so each request still resolves `get_user` once. The value is preventing a future route from being added under either router without an auth check: the router-level dependency catches the regression at registration time rather than at audit time. Add a structural test that asserts both routers carry the router-level `Depends(get_user)`, so a future refactor that drops the dependency without considering its purpose fails the test rather than silently widening the unauthenticated surface.
potiuk
requested review from
bugraoz93,
choo121600,
ephraimbuddy,
jason810496,
pierrejeambrun,
rawwar and
shubhamraj-git
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add
dependencies=[Depends(get_user)]at theauthenticated_router(parent of every authenticated/api/v2route) andui_router(every/uiroute) constructors.Today every authenticated route already declares its own
GetUserDepor arequires_access_*dependency that itself depends onget_user, so this is purely additive — FastAPI deduplicates dependencies via its per-request cache, so each request still resolvesget_userexactly once. The value is preventing a future route from being added under either router without an auth check: the router-level dependency catches the regression at registration time rather than at audit time.Also adds a structural regression test that asserts both routers carry the router-level
Depends(get_user), so a future refactor that drops the dependency without understanding its purpose fails the test rather than silently widening the unauthenticated surface.The three explicit no-auth carve-outs (
monitor_routerfor/api/v2/monitor/health,version_routerfor/api/v2/version, the publicauth_routerfor/api/v2/auth/{login,logout}) are added topublic_routerdirectly rather than toauthenticated_router, so they remain unaffected.Was generative AI tooling used to co-author this PR?
Generated-by: Claude Opus 4.7 (1M context) following the guidelines