fix: gate OSS email/password auth endpoints outside local auth mode (#500)

* fix: gate OSS email/password auth endpoints outside local auth mode

The /auth signup/login/me routes were mounted unconditionally, so the
SaaS deployment accepted unauthenticated signups that created oss_*
provider-id users (and auto-provisioned MPS service keys) bypassing
Stack Auth entirely.

Gate them with a router-level dependency that 404s when AUTH_PROVIDER
is not "local", rather than conditionally mounting the router, so the
OpenAPI spec and the clients generated from it stay identical across
deployment modes.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

* fix: keep current user route available in stack auth

---------

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Abhishek 2026-07-06 22:18:04 +05:30 committed by GitHub
parent 45afc47473
commit 4fb3193eb5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 91 additions and 3 deletions

View file

@ -0,0 +1,63 @@
from types import SimpleNamespace
from fastapi import FastAPI
from fastapi.testclient import TestClient
from api.routes.auth import router
from api.services.auth import depends as auth_depends
from api.services.auth.depends import get_user
def _make_test_app() -> FastAPI:
app = FastAPI()
app.include_router(router)
return app
def test_stack_mode_hides_email_password_auth_routes(monkeypatch):
monkeypatch.setattr(auth_depends, "AUTH_PROVIDER", "stack")
client = TestClient(_make_test_app())
signup_response = client.post(
"/auth/signup",
json={
"email": "user@example.com",
"password": "password123",
"name": "User",
},
)
login_response = client.post(
"/auth/login",
json={
"email": "user@example.com",
"password": "password123",
},
)
assert signup_response.status_code == 404
assert signup_response.json() == {"detail": "Not found"}
assert login_response.status_code == 404
assert login_response.json() == {"detail": "Not found"}
def test_stack_mode_keeps_current_user_route_available(monkeypatch):
monkeypatch.setattr(auth_depends, "AUTH_PROVIDER", "stack")
app = _make_test_app()
app.dependency_overrides[get_user] = lambda: SimpleNamespace(
id=7,
email="user@example.com",
selected_organization_id=42,
provider_id="stack-user-1",
)
client = TestClient(app)
response = client.get("/auth/me")
assert response.status_code == 200
assert response.json() == {
"id": 7,
"email": "user@example.com",
"name": None,
"organization_id": 42,
"provider_id": "stack-user-1",
}