andrewmusselman opened a new issue, #19:
URL: https://github.com/apache/tooling-gofannon/issues/19
### Summary
`routes.py:get_current_user` reads `settings.AUTH_CONFIG_PATH`, an attribute
the `Settings` class does not define. The resulting `AttributeError` propagates
up the dependency chain and surfaces as HTTP 500 on every authenticated
endpoint whenever the caller's session cookie is missing, invalid, or expired.
With a default 24-hour session TTL, every active user eventually trips this and
sees the entire API go unusable from their browser tab.
### Details
**Symptom (from production log, 2026-05-20):**
```
GET /agents HTTP/1.1" 500 Internal Server Error
GET /data-store/namespaces HTTP/1.1" 500 Internal Server Error
ERROR uncaught_api_exception:
File "/app/routes.py", line 159, in get_current_user
if settings.AUTH_CONFIG_PATH:
^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'Settings' object has no attribute 'AUTH_CONFIG_PATH'.
Did you mean: 'AUTH_CONFIG'?
```
**Root cause:**
The `Settings` class in `config/__init__.py` defines `AUTH_CONFIG` (the
loaded dict) but not `AUTH_CONFIG_PATH` (the source path string). The
AttributeError sat as a latent landmine masking a legacy auth-bypass branch —
that branch would have returned a fake `local-dev-user` stub on any
unauthenticated request. The bypass never fired because of the AttributeError,
but the AttributeError itself now manifests as a 500 every time a session
expires.
**Impact:**
- Every API endpoint becomes unusable for any user whose session expires.
- No user-facing indication of cause — the UI shows generic "Failed to..."
errors.
- Active production incident; recurring on a per-session-TTL cadence.
### Remediation
**Two changes that MUST land together** (applying either alone makes things
worse):
1. Add `AUTH_CONFIG_PATH` to the Settings class in `config/__init__.py`:
```python
AUTH_CONFIG_PATH: str | None = os.getenv("AUTH_CONFIG_PATH")
```
2. Remove the auth-bypass branch from `routes.py:get_current_user` so
unauthenticated requests fail closed with a proper 401 instead of silently
being granted access. The corrected function only honors session cookies and
(optionally) Firebase tokens; everything else raises `HTTPException(401)`.
Both changes are already drafted in the prod-migration bundle
(`config/__init__.py` replacement and `PATCHES.md §1` for `routes.py`).
### Acceptance Criteria
- [ ] Fixed: `AUTH_CONFIG_PATH` defined on `Settings` class
- [ ] Fixed: `get_current_user` raises 401 (not 500) when no valid session
cookie is present
- [ ] Fixed: bypass code path (`local-dev-user` stub) removed entirely
- [ ] Test added: unauthenticated request returns 401 with
`WWW-Authenticate` header
- [ ] Test added: expired session cookie returns 401 (not 500)
- [ ] Verified: no `AttributeError` lines in api logs after restart
- [ ] Verified: `curl -i /users/me` with no cookie returns 401, not 500
- [ ] Documentation: production migration playbook section linked from this
issue
### References
- File: `webapp/packages/api/user-service/routes.py:159`
- File: `webapp/packages/api/user-service/config/__init__.py`
- Tracker: FIXES.md item #13
### Priority
**Critical** - Active production incident. Every authenticated user hits
this once per session TTL (default 24 hours). Fix is two file changes, already
drafted. Unblocks ISSUE-010 (session expiry UX) which cannot detect 401s while
this returns 500.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
