feat(messaging): external auth backend + internal-token auth path (PR-5c)#26
Merged
govindkavaturi-art merged 1 commit intomainfrom May 2, 2026
Merged
Conversation
…-5c) PR-5c of the Dock-readiness PRD (https://trydock.ai/dock/prd/cueapi-port). Lets self-host integrators (Dock first; future others) bring their own user identity system and authenticate cueapi-core via a shared service-to-service token instead of per-user API keys. What lands ---------- * New env vars in ``app/config.py``: - ``EXTERNAL_AUTH_BACKEND`` (bool, default False) — flag that activates the new auth + endpoint surface. - ``INTERNAL_AUTH_TOKEN`` (str, required when flag is True) — the shared bearer token. Recommended: ``secrets.token_urlsafe(48)``. * New auth path in ``app/auth.py:get_current_user``: When the flag is on AND the request's bearer matches INTERNAL_AUTH_TOKEN (constant-time HMAC compare), the request is treated as service-to-service. Caller declares acting user via ``X-On-Behalf-Of: <user_uuid>`` header. New helper ``_auth_via_internal_token`` resolves the header to a User row. * New endpoint ``PUT /v1/internal/users/{user_id}`` in ``app/routers/internal_users.py``: Idempotent upsert keyed by UUID. Required body: ``email``, ``slug``. Optional: plan, all four limit fields. First call creates with defaults; subsequent calls update. Auth: only requests bearing INTERNAL_AUTH_TOKEN (constant-time compare). Conditionally mounted in ``app/main.py`` only when EXTERNAL_AUTH_BACKEND=True — default deployments don't expose ``/v1/internal/*`` at all. Per Dock's PRD §"Open question 2" the EXTERNAL_AUTH_BACKEND flag and DISABLE_DEVICE_CODE flag (PR-5d) are independent. PR-5c only adds the token + endpoint paths; integrators who want to ALSO strip the email- magic-link signup flow set DISABLE_DEVICE_CODE=True separately. The two flags compose without conflict. Important property: the new internal-token path is ADDITIVE, not replacing. Per-user API-key auth (cue_sk_*) and JWT session auth remain available alongside it. Self-hosters can run mixed traffic during migration. Tests ----- tests/test_dock_readiness_external_auth.py (3 classes, 9 cases): * TestExternalAuthDefaultOff: - internal/users route absent when flag off - internal-token auth unreachable when flag off (request with matching token still falls through to per-user lookup → 401) * TestExternalAuthFlagOn: - internal/users mounts when flag on - upsert creates a new user, idempotent re-call updates without clobbering fields the caller didn't pass - upsert with wrong token → 401 invalid_internal_token - internal-token + valid X-On-Behalf-Of → request authenticates - internal-token without X-On-Behalf-Of → 400 with explicit code - internal-token + nonexistent user UUID → 404 user_not_found (integrator must upsert first) * TestLegacyPathsStillWork: - per-user cue_sk_* path still 401s with invalid_api_key (not some internal-token-related error) when flag is on, proving legacy auth is still active Tests use the same ``_patch_settings`` + ``_reimport_main`` pattern from PR-5d so the FastAPI app object re-evaluates router mounts. Settings restored on exit; no test pollutes neighboring tests. What's NOT in this PR --------------------- * PR-5a Multi-shell same-agent claims (separate, schema change) * PR-5b Pluggable cross-user authz hook (separate) * PR-5d Operational packaging knobs (already shipped — DISABLE_*) Each PR-5 sub-feature is independent and can land in any order. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Parity checkThis PR modifies files tracked in
Please confirm one of the following in a reply or PR description update:
This is a soft check — it does not block merge. The goal is visibility, not friction. See HOSTED_ONLY.md for the open-core policy. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
tl;dr
PR-5c of the Dock-readiness PRD. Lets self-host integrators bring their own user identity system and authenticate cueapi-core via a shared service-to-service token.
What lands
How Dock will use this
```
EXTERNAL_AUTH_BACKEND=true
INTERNAL_AUTH_TOKEN= # python -c "import secrets; print(secrets.token_urlsafe(48))"
DISABLE_DEVICE_CODE=true # from PR-5d
DISABLE_CUE_PRIMITIVE=true # from PR-5d
DISABLE_QUOTA_ENFORCEMENT=true # from PR-5d
```
Then Dock-side flow:
Backward compatibility
The new internal-token path is additive. Per-user API-key auth (`cue_sk_*`) and JWT session auth remain available. Self-hosters can run mixed traffic during migration. Pinned by `TestLegacyPathsStillWork`.
Tests
```
tests/test_dock_readiness_external_auth.py::TestExternalAuthDefaultOff (2 cases)
tests/test_dock_readiness_external_auth.py::TestExternalAuthFlagOn (6 cases)
tests/test_dock_readiness_external_auth.py::TestLegacyPathsStillWork (1 case)
```
Test plan
🤖 Generated with Claude Code