fix(auth): honor AUTH_ENABLED=false on owner-scoped endpoints (no /login loop) (#880)

When the operator sets AUTH_ENABLED=false, three owner-scoped endpoints still returned 401 (api/models, api/research/*, api/email/*), so the front-end redirected the browser to /login and the app was unusable despite auth being turned off. require_user() in src/auth_helpers.py already documents and honors this contract (issue #622) via 'if _auth_disabled(): return ""', but these endpoints did their own get_current_user/is_configured check without it. Make _require_user (research), the /api/models anti-leak guard, and email_helpers._require_auth consult _auth_disabled() and let anonymous through (owner='') only when the operator explicitly disabled auth. The 401 protection is fully intact when AUTH_ENABLED=true. Verified end-to-end: with AUTH_ENABLED=false the SPA now loads instead of bouncing to /login.
2026-06-17 02:05:22 -04:00 · 2026-06-02 10:26:26 +07:00
parent 66cd44b66d
commit ffb77d7ff2
3 changed files with 8 additions and 4 deletions
@@ -22,7 +22,7 @@ from src.endpoint_resolver import (
    build_models_url,
    build_headers,
 )
-from src.auth_helpers import owner_filter
+from src.auth_helpers import _auth_disabled, owner_filter

 logger = logging.getLogger(__name__)

@@ -586,7 +586,7 @@ def setup_model_routes(model_discovery):
        # list to unauthenticated callers.
        try:
            auth_mgr = getattr(request.app.state, "auth_manager", None)
-            if not owner and auth_mgr is not None and getattr(auth_mgr, "is_configured", False):
+            if not owner and not _auth_disabled() and auth_mgr is not None and getattr(auth_mgr, "is_configured", False):
                raise HTTPException(401, "Not authenticated")
        except HTTPException:
            raise