Yicong-Huang opened a new pull request, #5404:
URL: https://github.com/apache/texera/pull/5404
### What changes were proposed in this PR?
Replaces the lazy pass-through behavior in `common/auth/JwtAuthFilter` with
an RFC 6750 eager 401 + `WWW-Authenticate` challenge. Missing `Authorization`
throws the bare `Bearer` challenge; an invalid token throws
`error="invalid_token"` so a well-behaved client can distinguish "please log
in" from "your stored token is invalid, discard it". Valid tokens populate a
`SecurityContext` exactly as before.
Endpoints that need to serve anonymous traffic opt out with `@PermitAll`
(JSR-250). This PR audits every resource method in the 5 microservices and
applies `@PermitAll` where the lazy filter previously made it implicit:
- 5x `HealthCheckResource` (liveness probes)
- `AccessControlResource` `/auth/*` (routing proxy that authenticates itself
via `parseToken` in the resource body)
- `LiteLLMProxyResource` `/chat/*`, `LiteLLMModelsResource` `/models`
(preserve current "gated only by `guiWorkflowWorkspaceCopilotEnabled`"
behavior; whether these should require an authenticated user is a separate
hardening decision)
- `DatasetResource`: 5 endpoints with `/public-*` or `/publicVersion` paths,
plus `/{did}/cover` and `/{did}/cover-url` which already take `@Auth
Optional[SessionUser]` for opt-in user context
`UnauthorizedException` + `UnauthorizedExceptionMapper` carry the
`WWW-Authenticate` challenge to the JAX-RS edge. The exception extends
`RuntimeException` (not `WebApplicationException`) so unit tests can run
without a Jersey `RuntimeDelegate` on the classpath, and is constructed with
`writableStackTrace=false` to avoid `fillInStackTrace` cost on the auth hot
path.
### Any related issues, documentation, discussions?
Closes #4901. The earlier attempt at this fix, #4903, was reverted in #5025
because expired tokens from `localStorage` were piggy-backed onto
`/api/config/gui` and broke the login page (#5026). PR #5392 has since fixed
the frontend to drop expired tokens client-side (`skipWhenExpired: true`) and
clear the session reactively on 401, so this PR can now ship safely.
### How was this PR tested?
Added `JwtAuthFilterSpec` (header-missing / non-Bearer / invalid-token /
valid-token; method- and class-level `@PermitAll`; resource-info-absent
fallback) and `UnauthorizedExceptionMapperSpec`. Updated existing service specs
to expect 401 (from the filter) instead of 403 (from the role filter) for
missing-Authorization scenarios, and `*ServiceRunSpec` mocks verify the new
`UnauthorizedExceptionMapper` registration. `sbt Auth/test` + 4 service specs
all green; `sbt scalafmtCheckAll` clean.
### Was this PR authored or co-authored using generative AI tooling?
Generated-by: Claude Code (Opus 4.7)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
