Support registration in authz executor

[rajithacharith]

Purpose

Update the authz_executor to support registration. In registration flow inferred from the authentication flow, the flow fails with user is not authenticated.

This fix resolves that issue

#1075

[Copilot]

Pull request overview

Updates the authorization executor so registration flows inferred from authentication flows don’t immediately fail with “User is not authenticated”.

Changes:

• Bypasses the unauthenticated-user failure check when ctx.FlowType is REGISTRATION.

Comments suppressed due to low confidence (1)

backend/internal/flow/executor/authz_executor.go:79

• In registration flows where requested_permissions is present (e.g., OAuth authorization request that triggers registration), this change skips the unauthenticated guard but still proceeds to call the authorization service with userID == "" and no groups. The role service rejects that with ErrorMissingUserOrGroups, which will still fail the flow (now with "Authorization validation failure"). Consider explicitly short-circuiting authorization for registration when the user is not authenticated (e.g., return ExecComplete with empty authorized_permissions), or only invoking the authz service once the user is authenticated in the flow.

	if ctx.FlowType != common.FlowTypeRegistration && !ctx.AuthenticatedUser.IsAuthenticated {
		execResp.Status = common.ExecFailure
		execResp.FailureReason = failureReasonUserNotAuthenticated
		return execResp, nil
	}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.00%. Comparing base (8f0614c) to head (4398c62).
⚠️ Report is 1 commits behind head on main.

❗ There is a different number of reports uploaded between BASE (8f0614c) and HEAD (4398c62). Click for more details.

HEAD has 2 uploads less than BASE

Flag	BASE (8f0614c)	HEAD (4398c62)
backend-integration-postgres	1	0
backend-integration-sqlite	1	0

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1145      +/-   ##
==========================================
- Coverage   89.39%   82.00%   -7.39%     
==========================================
  Files         555      555              
  Lines       37480    37480              
  Branches     1636     1636              
==========================================
- Hits        33504    30736    -2768     
- Misses       2331     5390    +3059     
+ Partials     1645     1354     -291     

Flag	Coverage Δ
backend-integration-postgres	?
backend-integration-sqlite	?
backend-unit	79.93% <100.00%> (ø)
frontend-apps-develop-unit	89.99% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

backend/internal/flow/executor/authz_executor.go:79

• Registration flows bypass the unauthenticated check, but the executor can still call AuthorizationService with an empty UserID and empty GroupIDs if requested_permissions is present. The authz service/engine path treats “missing both user and groups” as an error (see internal/authz/service_test.go), which would still make registration fail. Consider explicitly skipping authorization evaluation for unauthenticated registration flows (e.g., immediately return ExecComplete with empty authorized permissions), or gate the service call on having a non-empty userID or at least one groupID.

	if ctx.FlowType != common.FlowTypeRegistration && !ctx.AuthenticatedUser.IsAuthenticated {
		execResp.Status = common.ExecFailure
		execResp.FailureReason = failureReasonUserNotAuthenticated
		return execResp, nil
	}

[ThaminduDilshan]

Is it expected to execute rest of the logic of authz executor for registration flows? Or should we simply check if it is registration flow, and return complete status?