Fix authentication to support both header and cookie auth

All API endpoints now use require_auth or get_current_user which handle both Authorization header (for CLI) and cookies (for browser). Previously many endpoints only checked cookies via get_user_from_cookie. Changed files: - runs.py: list_runs, run_detail, run_plan, run_artifacts, plan_node_detail, ui_discard_run - recipes.py: list_recipes, get_recipe, ui_discard_recipe - storage.py: list_storage, add_storage_form, delete_storage, test_storage, storage_type_page - cache.py: get_cached, list_media, get_metadata_form, update_metadata_htmx Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-12 14:56:52 +00:00
parent 79a74df2bb
commit 280dddebd0
4 changed files with 19 additions and 128 deletions
--- a/app/routers/recipes.py
+++ b/app/routers/recipes.py
@@ -16,7 +16,7 @@ from artdag_common import render
 from artdag_common.middleware import wants_html, wants_json
 from artdag_common.middleware.auth import UserContext

-from ..dependencies import require_auth, get_templates, get_redis_client, get_cache_manager
+from ..dependencies import require_auth, get_current_user, get_templates, get_redis_client, get_cache_manager
 from ..services.auth_service import AuthService
 from ..services.recipe_service import RecipeService
 from ..types import (
@@ -365,17 +365,9 @@ async def list_recipes(
    offset: int = 0,
    limit: int = 20,
    recipe_service: RecipeService = Depends(get_recipe_service),
+    ctx: UserContext = Depends(require_auth),
 ):
    """List available recipes."""
-    auth_service = AuthService(get_redis_client())
-    ctx = auth_service.get_user_from_cookie(request)
-
-    if not ctx:
-        if wants_json(request):
-            raise HTTPException(401, "Authentication required")
-        from fastapi.responses import RedirectResponse
-        return RedirectResponse(url="/auth", status_code=302)
-
    recipes = await recipe_service.list_recipes(ctx.actor_id, offset=offset, limit=limit)
    has_more = len(recipes) >= limit

@@ -402,17 +394,9 @@ async def get_recipe(
    recipe_id: str,
    request: Request,
    recipe_service: RecipeService = Depends(get_recipe_service),
+    ctx: UserContext = Depends(require_auth),
 ):
    """Get recipe details."""
-    auth_service = AuthService(get_redis_client())
-    ctx = auth_service.get_user_from_cookie(request)
-
-    if not ctx:
-        if wants_json(request):
-            raise HTTPException(401, "Authentication required")
-        from fastapi.responses import RedirectResponse
-        return RedirectResponse(url="/auth", status_code=302)
-
    recipe = await recipe_service.get_recipe(recipe_id)
    if not recipe:
        raise HTTPException(404, "Recipe not found")
@@ -640,9 +624,7 @@ async def ui_discard_recipe(
    recipe_service: RecipeService = Depends(get_recipe_service),
 ):
    """HTMX handler: discard a recipe."""
-    auth_service = AuthService(get_redis_client())
-    ctx = auth_service.get_user_from_cookie(request)
-
+    ctx = await get_current_user(request)
    if not ctx:
        return HTMLResponse('<div class="text-red-400">Login required</div>', status_code=401)