potiuk opened a new pull request, #66505:
URL: https://github.com/apache/airflow/pull/66505
Add `dependencies=[Depends(get_user)]` at the `authenticated_router` (parent
of every authenticated `/api/v2` route) and `ui_router` (every `/ui` route)
constructors.
Today every authenticated route already declares its own `GetUserDep` or a
`requires_access_*` dependency that itself depends on `get_user`, so this is
purely additive — FastAPI deduplicates dependencies via its per-request cache,
so each request still resolves `get_user` exactly once. The value is preventing
a future route from being added under either router without an auth check: the
router-level dependency catches the regression at registration time rather than
at audit time.
Also adds a structural regression test that asserts both routers carry the
router-level `Depends(get_user)`, so a future refactor that drops the
dependency without understanding its purpose fails the test rather than
silently widening the unauthenticated surface.
The three explicit no-auth carve-outs (`monitor_router` for
`/api/v2/monitor/health`, `version_router` for `/api/v2/version`, the public
`auth_router` for `/api/v2/auth/{login,logout}`) are added to `public_router`
directly rather than to `authenticated_router`, so they remain unaffected.
---
##### Was generative AI tooling used to co-author this PR?
- [X] Yes — Claude Opus 4.7 (1M context)
Generated-by: Claude Opus 4.7 (1M context) following [the
guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
