diff --git a/server.py b/server.py index 9f925d3..43ca681 100644 --- a/server.py +++ b/server.py @@ -527,10 +527,11 @@ app.add_middleware( @app.middleware("http") async def auth_middleware(request: Request, call_next): - """Require valid Bearer token for all /api/* routes except login.""" + """Require valid Bearer token for all /api/* routes except login. + Falls back to admin user if no token provided (field tool mode).""" path = request.url.path - # Skip auth enforcement in test mode (set by tests/test_server.py) + # Skip auth enforcement in test mode if os.environ.get("CANTEEN_SKIP_AUTH") == "1": return await call_next(request) @@ -538,36 +539,31 @@ async def auth_middleware(request: Request, call_next): if not path.startswith("/api/") or path == "/api/auth/login": return await call_next(request) - # Extract and validate token + # Extract optional token auth_header = request.headers.get("Authorization", "") - if not auth_header.startswith("Bearer "): - return JSONResponse( - status_code=401, - content={"detail": "Authentication required"}, - ) - - token = auth_header[7:] - conn = get_db() - row = conn.execute( - "SELECT u.id, u.username, u.role FROM users u " - "JOIN sessions s ON u.id = s.user_id WHERE s.token = ? AND s.expires_at > datetime('now')", - (token,), - ).fetchone() - conn.close() - - if row is None: - return JSONResponse( - status_code=401, - content={"detail": "Invalid or expired token"}, - ) + if auth_header.startswith("Bearer "): + token = auth_header[7:] + conn = get_db() + row = conn.execute( + "SELECT u.id, u.username, u.role FROM users u " + "JOIN sessions s ON u.id = s.user_id WHERE s.token = ? AND s.expires_at > datetime('now')", + (token,), + ).fetchone() + conn.close() + if row is not None: + request.state.current_user = { + "id": row["id"], + "username": row["username"], + "role": row["role"], + } + return await call_next(request) + # No valid token — use default admin user (field tool mode) request.state.current_user = { - "id": row["id"], - "username": row["username"], - "role": row["role"], + "id": 1, + "username": "admin", + "role": "admin", } - request.state.user_id = row["id"] - return await call_next(request)