fix(auth): gate api tokens from user routes (#2992)

tests/test_api_token_user_route_gate.py

@@ -0,0 +1,62 @@
+import asyncio
+from pathlib import Path
+from types import SimpleNamespace
+
+import pytest
+from fastapi import HTTPException
+
+from src import auth_helpers
+
+
+def _request(*, current_user="api", api_token=True, api_token_owner="alice"):
+    return SimpleNamespace(
+        state=SimpleNamespace(
+            current_user=current_user,
+            api_token=api_token,
+            api_token_owner=api_token_owner,
+        ),
+        app=SimpleNamespace(
+            state=SimpleNamespace(
+                auth_manager=SimpleNamespace(is_configured=True),
+            ),
+        ),
+        client=SimpleNamespace(host="203.0.113.10"),
+    )
+
+
+def test_require_user_rejects_api_token_pseudo_user(monkeypatch):
+    monkeypatch.setenv("AUTH_ENABLED", "true")
+    req = _request()
+
+    with pytest.raises(HTTPException) as exc:
+        auth_helpers.require_user(req)
+
+    assert exc.value.status_code == 403
+
+
+def test_require_authenticated_request_allows_api_token_owner(monkeypatch):
+    monkeypatch.setenv("AUTH_ENABLED", "true")
+    req = _request()
+
+    assert auth_helpers.require_authenticated_request(req) == "alice"
+
+
+def test_codex_as_owner_can_call_nested_user_routes(monkeypatch):
+    monkeypatch.setenv("AUTH_ENABLED", "true")
+    from routes.codex_routes import _as_owner
+
+    req = _request()
+
+    async def nested_handler(request):
+        return auth_helpers.require_user(request)
+
+    assert asyncio.run(_as_owner(req, "alice", nested_handler, req)) == "alice"
+    assert req.state.current_user == "api"
+    assert req.state.api_token is True
+
+
+def test_codex_plugin_downloads_use_general_authenticated_gate():
+    source = Path("routes/codex_routes.py").read_text(encoding="utf-8")
+
+    assert "require_authenticated_request" in source
+    assert source.count("require_authenticated_request(request)") == 2