Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the chat app’s authentication flow to support programmatic access via Authorization: Bearer <token> while keeping existing session-based SSO behavior, and fixes a response payload attribute reference.
Changes:
- Added Bearer token authentication that decodes JWT claims, derives roles, and populates the Flask session (including user upsert into
users). - Updated auth decorators to return JSON
401for/api/routes instead of redirecting to/login. - Fixed
model_usedreporting by referencingself.chat.current_model_used.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+2535
to
+2538
| claims = decode_jwt_claims(token_string) | ||
| if not claims: | ||
| return False | ||
|
|
Comment on lines
+2569
to
+2577
| # Populate the session so all downstream code works unchanged | ||
| self._set_user_session( | ||
| email=email, | ||
| name=name, | ||
| username=username, | ||
| user_id=user_id, | ||
| auth_method='bearer', | ||
| roles=user_roles | ||
| ) |
Comment on lines
2608
to
+2629
| @@ -2542,16 +2617,18 @@ def decorated_function(*args, **kwargs): | |||
| method='web', | |||
| details=f"path={request.path}, method={request.method}" | |||
| ) | |||
| # For API requests return 401 instead of redirect | |||
| if request.path.startswith('/api/'): | |||
| return jsonify({'error': 'Unauthorized', 'message': 'Authentication required'}), 401 | |||
| # Redirect to login page which will trigger SSO | |||
| return redirect(url_for('login')) | |||
|
|
|||
| # Return 401 Unauthorized response for API requests | |||
| return jsonify({'error': 'Unauthorized', 'message': 'Authentication required'}), 401 | |||
| if request.path.startswith('/api/'): | |||
| return jsonify({'error': 'Unauthorized', 'message': 'Authentication required'}), 401 | |||
| else: | |||
| else: | |||
Comment on lines
+2530
to
+2534
| auth_header = request.headers.get('Authorization', '') | ||
| if not auth_header.startswith('Bearer '): | ||
| return False | ||
|
|
||
| token_string = auth_header[7:] |
Comment on lines
+2555
to
+2565
| # Upsert user into the users table so that conversation_metadata | ||
| # can reference user_id via the FK constraint. | ||
| if user_id: | ||
| try: | ||
| user_service = UserService(pg_config=self.pg_config) | ||
| user_service.get_or_create_user( | ||
| user_id=user_id, | ||
| auth_provider='sso', | ||
| display_name=name, | ||
| email=email, | ||
| ) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Authorization: Bearer <token>headeruserstable on Bearer auth to prevent FK violations onconversation_metadataAttributeErroroncurrent_model_usedby referencingself.chat.current_model_usedinstead ofself.current_model_used/api/routes instead of redirecting to/login