fix(docker): enforce JWT on job endpoints instead of 500 (resolve credentials correctly)#1997
Open
jacksimplified wants to merge 1 commit into
Open
fix(docker): enforce JWT on job endpoints instead of 500 (resolve credentials correctly)#1997jacksimplified wants to merge 1 commit into
jacksimplified wants to merge 1 commit into
Conversation
The job router wired auth as Depends(lambda: _token_dep()), which prevents
FastAPI from resolving the Bearer credentials sub-dependency. With
security.jwt_enabled=true this raised AttributeError -> HTTP 500 on
/llm/job, /llm/job/{id}, /crawl/job, /crawl/job/{id} for every request
(with or without a token), making the async job endpoints unusable.
Replace the broken lambda with a module-level _job_token_dep that mirrors
auth.get_token_dependency: declare credentials properly so FastAPI resolves
the Bearer header, enforce a valid token when jwt_enabled is true, and
no-op when it is false (reading jwt_enabled from the injected _config).
Verified on the published image: job endpoints now return 401 without a
token, 401 on an invalid token, and proceed with a valid token; behavior
with jwt_enabled=false is unchanged.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
Fixes #1996.
The job router wires its auth dependency as
Depends(lambda: _token_dep()). Wrapping the dependency in alambdaprevents FastAPI from resolving the Bearercredentialssub-dependency declared insidejwt_required, soverify_tokenreceives aDependsobject and raisesAttributeError→ HTTP 500 wheneversecurity.jwt_enabledis true. This affects all four job endpoints (/llm/job,/llm/job/{id},/crawl/job,/crawl/job/{id}) for every request, with or without a token, making them unusable. Withjwt_enabled: falsethe bug is masked because_token_depislambda: None.Change
Replace the broken lambda with a module-level dependency
_job_token_depthat mirrorsauth.get_token_dependency:credentialsproperly (viaHTTPBearer(auto_error=False)) so FastAPI resolves the Bearer header,jwt_enabledis true (401 otherwise),jwt_enabledis false,jwt_enabledfrom the injected_config, preserving the existing late-binding viainit_job_router.The four
Depends(lambda: _token_dep())are replaced withDepends(_job_token_dep).Verified behavior (on the published image)
jwt_enabled: true:POST /llm/jobno tokenPOST /crawl/jobno tokenPOST /llm/jobinvalid tokenPOST /llm/jobvalid tokenPOST /mdno token (control)jwt_enabled: false:POST /llm/jobno token