Skip to content

fix(auth): skip tenant auth for all internal background tasks#240

Merged
nicoloboschi merged 1 commit into
vectorize-io:mainfrom
slayoffer:pr/background-task-auth-fix
Jan 30, 2026
Merged

fix(auth): skip tenant auth for all internal background tasks#240
nicoloboschi merged 1 commit into
vectorize-io:mainfrom
slayoffer:pr/background-task-auth-fix

Conversation

@slayoffer
Copy link
Copy Markdown
Contributor

@slayoffer slayoffer commented Jan 30, 2026

Summary

  • Remove public-schema guard from internal request authentication bypass

Problem

Internal background tasks (consolidation, async retain via worker) fail with AuthenticationError when using tenant extension on public schema. The worker doesn't have an API key, and the previous code only skipped auth for non-public schemas.

The original logic was:

if request_context.internal:
    current = _current_schema.get()
    if current and current != "public":
        return current

This breaks async HTTP retain (async_processing=True) because:

  1. Task is submitted and queued (authenticated at submission time)
  2. Worker picks up task, sets internal context
  3. Worker tries to execute but has no API key
  4. Auth fails because schema is "public" (default)

Solution

Since tasks were already authenticated at submission time, skip tenant auth for ALL internal requests:

if request_context.internal:
    return _current_schema.get()

Test plan

  • Async document upload works with tenant extension enabled
  • Consolidation tasks complete successfully
  • Tenant isolation still enforced for external requests

🤖 Generated with Claude Code

@slayoffer
fix(auth): skip tenant auth for all internal background tasks
7558e90 
Previously, _authenticate_tenant only skipped extension auth for
internal requests when _current_schema was set to a non-public schema.
This caused async HTTP retain (document upload with async_processing=True)
to fail with AuthenticationError because the worker had no API key and
the schema was "public".

Remove the public-schema guard since internal tasks were already
authenticated at submission time. The worker sets _current_schema from
the task's _schema field for tenant schemas, and it defaults to "public"
for public schema tasks — both are valid.
nicoloboschi
nicoloboschi approved these changes Jan 30, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@nicoloboschi nicoloboschi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nicoloboschi nicoloboschi merged commit d57e863 into vectorize-io:main Jan 30, 2026
18 of 26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicoloboschi nicoloboschi nicoloboschi approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@slayoffer @nicoloboschi