Fix/golden repo add index auth #730
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 8 commits
January 15, 2026 10:32
The endpoint /api/admin/golden-repos/{alias}/indexes existed but only
supported token-based authentication (API keys/JWT). The web UI uses
session-based authentication (cookies + CSRF token), causing "Missing
authentication credentials" error.
Solution: Created hybrid authentication dependency that tries both:
1. Session-based auth first (for web UI)
2. Token-based auth as fallback (for API clients)
Changes:
- Added get_current_admin_user_hybrid() to dependencies.py
- Checks session cookie first
- Falls back to JWT/API key auth
- Returns User with admin role
- Updated add_golden_repo_index endpoint in app.py
- Changed dependency from get_current_admin_user to get_current_admin_user_hybrid
- Added Request parameter for hybrid auth to access cookies
This allows the web UI JavaScript to successfully call the endpoint
using session auth while maintaining API client compatibility.
The hybrid auth was checking session.is_admin but SessionData only has a role attribute, not is_admin. This caused all session-based auth attempts to fail with 401. Changes: - Fixed session check to use session.role == "admin" instead of session.is_admin - Added proper error handling for invalid session/user scenarios - Only fall back to token auth if no session cookie exists - Return proper 401 with WWW-Authenticate header when no auth found This should now allow web UI to successfully authenticate when calling the golden repo add index endpoint.
Root cause: The fetch() call in golden_repo_indexes.js was not including credentials, so the session_id cookie was not sent with the request. This caused hybrid auth to see session_id=None and fail with 401 Unauthorized. Changes: - Added credentials: 'same-origin' to fetch options - Added INFO-level logging to hybrid auth to diagnose the issue The session cookie will now be sent with the API request, allowing hybrid auth to successfully authenticate web UI users.
ROOT CAUSE: Hybrid auth was looking for cookie 'session_id' but the actual session cookie is named 'session' (SESSION_COOKIE_NAME). This was discovered using Playwright automation to test the full flow: - Login succeeds and sets cookie named 'session' - API call to add index sent cookie but hybrid auth couldn't find it - Was looking for wrong cookie name Changes: - Import SESSION_COOKIE_NAME constant from auth.py - Use SESSION_COOKIE_NAME instead of hardcoded 'session_id' - Pass Request object to get_session() (was incorrectly passing cookie value) - Added Playwright test script for future debugging This should now allow web UI to successfully authenticate.
- Created get_current_user_hybrid() for non-admin endpoints
- Updated /api/jobs/{job_id} endpoint to use hybrid authentication
- Job polling from web UI now works with session-based auth
- Completes hybrid auth implementation for golden repo index management
- Revert global statement formatting to multi-line - Revert semantic query call formatting - Remove test_add_index.py (to be handled separately later) - Keep only essential functional changes for hybrid auth
- Extract common logic into _hybrid_auth_impl() internal function - get_current_user_hybrid() and get_current_admin_user_hybrid() are now thin wrappers - Reduces duplication by 11 lines while maintaining same functionality - Admin check is parameterized via require_admin boolean
- Remove unused imports (F401 errors) - Remove unused variables (F841 errors) - Apply black formatting to server code and tests - Required for server-fast-automation.sh to pass
jbendson
pushed a commit
that referenced
this pull request
Jan 19, 2026
Documents changes since v8.5.2: - Hybrid authentication for web UI endpoints (PR #730) - CSRF token handling fixes (PR #729) - Callback-based delegation job completion (Story #720) - Server stability improvements (Epic #733) This commit prepares for creating the v8.5.3 git tag, which will enable pipx installation at this version.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.