Skip to content

feat(auth): add JWT Bearer token authentication support#74

Open
arne-aignx wants to merge 1 commit into
mainfrom
feat/bearer-auth
Open

feat(auth): add JWT Bearer token authentication support#74
arne-aignx wants to merge 1 commit into
mainfrom
feat/bearer-auth

Conversation

@arne-aignx
Copy link
Copy Markdown

@arne-aignx arne-aignx commented May 27, 2026
edited
Loading

Summary

  • Extends api.auth to accept Auth0 JWT Bearer tokens alongside existing cookie-based sessions
  • Bearer auth is opt-in via AUTH_JWT_ENABLED=true and AUTH_JWT_AUDIENCE=<audience>; each require_* dependency tries Bearer first, then falls back to cookie
  • Adds JWKS fetching with per-domain in-memory TTL cache (AUTH0_JWKS_CACHE_TTL = 3600s)
  • New AuthSettings fields: cookie_enabled (primary name, replaces deprecated enabled), jwt_enabled, jwt_audience
  • New Bearer HTTPBearer security schemes for all four OpenAPI dependency variants
  • New deps: PyJWT[cryptography]>=2.10,<3, httpx>=0.28,<1

Test plan

  • mise run lint passes (ruff + pyright)
  • mise run test_unit passes (all existing + new AuthSettings and _validate_jwt unit tests)
  • mise run test_integration passes
  • AUTH_JWT_ENABLED=false (default): Bearer tokens are ignored, cookie path unchanged
  • AUTH_JWT_ENABLED=true with valid Bearer token: JWT validated, cookie path skipped
  • AUTH_JWT_ENABLED=true with invalid/expired Bearer token: falls back to cookie

🤖 Generated with Claude Code

@arne-aignx arne-aignx requested a review from a team as a code owner May 27, 2026 15:03
@codecov
Copy link
Copy Markdown

codecov Bot commented May 27, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

Files with missing lines Coverage Δ
src/aignostics_foundry_core/api/auth.py 100.00% <100.00%> (ø)

@arne-aignx @claude
feat(auth): add JWT Bearer token authentication support
7d84586 
Extends api.auth to accept Auth0 JWT Bearer tokens alongside existing
cookie-based sessions. Bearer auth is opt-in via AUTH_JWT_ENABLED and
AUTH_JWT_AUDIENCE; each require_* dependency tries Bearer first, then
falls back to cookie. Adds JWKS fetching with per-domain TTL cache.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 27, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arne-aignx