mirror of
https://github.com/dograh-hq/dograh.git
synced 2026-07-07 11:02:12 +02:00
fix: gate OSS email/password auth endpoints outside local auth mode (#500)
* fix: gate OSS email/password auth endpoints outside local auth mode The /auth signup/login/me routes were mounted unconditionally, so the SaaS deployment accepted unauthenticated signups that created oss_* provider-id users (and auto-provisioned MPS service keys) bypassing Stack Auth entirely. Gate them with a router-level dependency that 404s when AUTH_PROVIDER is not "local", rather than conditionally mounting the router, so the OpenAPI spec and the clients generated from it stay identical across deployment modes. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> * fix: keep current user route available in stack auth --------- Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
45afc47473
commit
4fb3193eb5
3 changed files with 91 additions and 3 deletions
|
|
@ -20,6 +20,19 @@ from api.services.posthog_client import (
|
|||
)
|
||||
from api.utils.auth import decode_jwt_token
|
||||
|
||||
|
||||
async def require_local_auth() -> None:
|
||||
"""Reject email/password auth requests outside OSS (local) deployments.
|
||||
|
||||
The auth router stays mounted in every mode so the OpenAPI spec — and the
|
||||
clients generated from it — don't vary with AUTH_PROVIDER; the gate has to
|
||||
happen at request time. Without it, the SaaS deployment accepts
|
||||
unauthenticated signups that mint oss_* users bypassing Stack Auth.
|
||||
"""
|
||||
if AUTH_PROVIDER != "local":
|
||||
raise HTTPException(status_code=404, detail="Not found")
|
||||
|
||||
|
||||
POSTHOG_ORGANIZATION_GROUP_TYPE = "organization"
|
||||
POSTHOG_ORGANIZATION_USES_MPS_BILLING_V2_PROPERTY = "uses_mps_billing_v2"
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue