Remove auth: fall back to default admin user when no token provided (field tool mode)
This commit is contained in:
@@ -527,10 +527,11 @@ app.add_middleware(
|
|||||||
|
|
||||||
@app.middleware("http")
|
@app.middleware("http")
|
||||||
async def auth_middleware(request: Request, call_next):
|
async def auth_middleware(request: Request, call_next):
|
||||||
"""Require valid Bearer token for all /api/* routes except login."""
|
"""Require valid Bearer token for all /api/* routes except login.
|
||||||
|
Falls back to admin user if no token provided (field tool mode)."""
|
||||||
path = request.url.path
|
path = request.url.path
|
||||||
|
|
||||||
# Skip auth enforcement in test mode (set by tests/test_server.py)
|
# Skip auth enforcement in test mode
|
||||||
if os.environ.get("CANTEEN_SKIP_AUTH") == "1":
|
if os.environ.get("CANTEEN_SKIP_AUTH") == "1":
|
||||||
return await call_next(request)
|
return await call_next(request)
|
||||||
|
|
||||||
@@ -538,36 +539,31 @@ async def auth_middleware(request: Request, call_next):
|
|||||||
if not path.startswith("/api/") or path == "/api/auth/login":
|
if not path.startswith("/api/") or path == "/api/auth/login":
|
||||||
return await call_next(request)
|
return await call_next(request)
|
||||||
|
|
||||||
# Extract and validate token
|
# Extract optional token
|
||||||
auth_header = request.headers.get("Authorization", "")
|
auth_header = request.headers.get("Authorization", "")
|
||||||
if not auth_header.startswith("Bearer "):
|
if auth_header.startswith("Bearer "):
|
||||||
return JSONResponse(
|
token = auth_header[7:]
|
||||||
status_code=401,
|
conn = get_db()
|
||||||
content={"detail": "Authentication required"},
|
row = conn.execute(
|
||||||
)
|
"SELECT u.id, u.username, u.role FROM users u "
|
||||||
|
"JOIN sessions s ON u.id = s.user_id WHERE s.token = ? AND s.expires_at > datetime('now')",
|
||||||
token = auth_header[7:]
|
(token,),
|
||||||
conn = get_db()
|
).fetchone()
|
||||||
row = conn.execute(
|
conn.close()
|
||||||
"SELECT u.id, u.username, u.role FROM users u "
|
if row is not None:
|
||||||
"JOIN sessions s ON u.id = s.user_id WHERE s.token = ? AND s.expires_at > datetime('now')",
|
request.state.current_user = {
|
||||||
(token,),
|
"id": row["id"],
|
||||||
).fetchone()
|
"username": row["username"],
|
||||||
conn.close()
|
"role": row["role"],
|
||||||
|
}
|
||||||
if row is None:
|
return await call_next(request)
|
||||||
return JSONResponse(
|
|
||||||
status_code=401,
|
|
||||||
content={"detail": "Invalid or expired token"},
|
|
||||||
)
|
|
||||||
|
|
||||||
|
# No valid token — use default admin user (field tool mode)
|
||||||
request.state.current_user = {
|
request.state.current_user = {
|
||||||
"id": row["id"],
|
"id": 1,
|
||||||
"username": row["username"],
|
"username": "admin",
|
||||||
"role": row["role"],
|
"role": "admin",
|
||||||
}
|
}
|
||||||
request.state.user_id = row["id"]
|
|
||||||
|
|
||||||
return await call_next(request)
|
return await call_next(request)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user