Remove auth: fall back to default admin user when no token provided (field tool mode)

This commit is contained in:
2026-05-28 22:03:58 -04:00
parent f3d176116a
commit 7c1ceafc6b
+24 -28
View File
@@ -527,10 +527,11 @@ app.add_middleware(
@app.middleware("http") @app.middleware("http")
async def auth_middleware(request: Request, call_next): async def auth_middleware(request: Request, call_next):
"""Require valid Bearer token for all /api/* routes except login.""" """Require valid Bearer token for all /api/* routes except login.
Falls back to admin user if no token provided (field tool mode)."""
path = request.url.path path = request.url.path
# Skip auth enforcement in test mode (set by tests/test_server.py) # Skip auth enforcement in test mode
if os.environ.get("CANTEEN_SKIP_AUTH") == "1": if os.environ.get("CANTEEN_SKIP_AUTH") == "1":
return await call_next(request) return await call_next(request)
@@ -538,36 +539,31 @@ async def auth_middleware(request: Request, call_next):
if not path.startswith("/api/") or path == "/api/auth/login": if not path.startswith("/api/") or path == "/api/auth/login":
return await call_next(request) return await call_next(request)
# Extract and validate token # Extract optional token
auth_header = request.headers.get("Authorization", "") auth_header = request.headers.get("Authorization", "")
if not auth_header.startswith("Bearer "): if auth_header.startswith("Bearer "):
return JSONResponse( token = auth_header[7:]
status_code=401, conn = get_db()
content={"detail": "Authentication required"}, row = conn.execute(
) "SELECT u.id, u.username, u.role FROM users u "
"JOIN sessions s ON u.id = s.user_id WHERE s.token = ? AND s.expires_at > datetime('now')",
token = auth_header[7:] (token,),
conn = get_db() ).fetchone()
row = conn.execute( conn.close()
"SELECT u.id, u.username, u.role FROM users u " if row is not None:
"JOIN sessions s ON u.id = s.user_id WHERE s.token = ? AND s.expires_at > datetime('now')", request.state.current_user = {
(token,), "id": row["id"],
).fetchone() "username": row["username"],
conn.close() "role": row["role"],
}
if row is None: return await call_next(request)
return JSONResponse(
status_code=401,
content={"detail": "Invalid or expired token"},
)
# No valid token — use default admin user (field tool mode)
request.state.current_user = { request.state.current_user = {
"id": row["id"], "id": 1,
"username": row["username"], "username": "admin",
"role": row["role"], "role": "admin",
} }
request.state.user_id = row["id"]
return await call_next(request) return await call_next(request)