update to fully disable auth

[cholmes]

Hey, not sure if this is the right approach, it's just what cursor gave to me. But if I just set the config.yaml file to 'auth_disabled: true' then it still was requiring auth. The readme said you can disable authentication by editing the app/core/auth.py, but I wasn't sure what to do to disable there. So perhaps this just could be a readme fix to explain how to disable the authentication there. But this seemed to work, and uses the config yaml file to disable it.

[Copilot]

Pull Request Overview

This PR updates the authentication mechanism to allow for disabling auth via the config.yaml file. The changes include:

• Modifying the security scheme initialization to conditionally disable auto error handling based on configuration.
• Adjusting the verify_auth dependency to manually raise an error when credentials are absent and auth is enabled.

[Copilot]

Initializing the HTTPBearer instance at module import using get_settings() may capture stale configuration if the settings are updated at runtime. Consider instantiating HTTPBearer within a dependency function or another runtime context to ensure it uses the latest configuration.

Suggested change

	security = HTTPBearer(auto_error=not get_settings().auth_disabled)
	def get_security() -> HTTPBearer:
	"""
	Dynamically create an HTTPBearer instance based on the current configuration.
	"""
	return HTTPBearer(auto_error=not get_settings().auth_disabled)

[m-mohr]

Oh, I didn't see this before I started fixing it myself today.
The way it works now, is that it doesn't disable auth, but accepts a dummy Bearer token, which for example could be:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJndWVzdCIsIm5hbWUiOiJHdWVzdCIsImlhdCI6MTc0ODIxNzYwMCwiZXhwaXJlcyI6OTk5OTk5OTk5OX0.lJIkuuSdE7ihufZwWtLx10D_93ygWUcUrtKhvlh6M8k
The important part is that the sub in the JWT ist set to "guest".

[cholmes]

Ok cool, will try it out.

[cholmes]

Ok, didn't get so far.

The important part is that the sub in the JWT ist set to "guest".

What does this mean? Sorry for the complete naivety, I've not worked with JWT's much at all, and have always struggled to get bearer tokens to work.

I tried setting auth_disabled: true and changing secret_key to be the long string in the comment. And then I tried:

% http GET http://0.0.0.0:8000/projects --auth-type bearer --auth eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJndWVzdCIsIm5hbWUiOiJHdWVzdCIsImlhdCI6MTc0ODIxNzYwMCwiZXhwaXJlcyI6OTk5OTk5OTk5OX0.lJIkuuSdE7ihufZwWtLx10D_93ygWUcUrtKhvlh6M8k

HTTP/1.1 401 Unauthorized
content-length: 47
content-type: application/json
date: Tue, 27 May 2025 03:36:32 GMT
server: uvicorn
www-authenticate: Bearer

{
    "detail": "Invalid authentication credentials"
}

And I'm also not sure what I do if authorization is not disabled? Like where am I supposed to get the token to then make the subsequent requests?

thanks!

[m-mohr]

I guess I should add more documentation around this.

For your attempt, you were not meant to change secret_key. Keep it as is and just use the long cryptic string as Bearer token. That should work.

"Authentication enabled" pretty much doesn't work right now as we didn't decide on an auth mechanism yet, so there's no endpoint for it yet. We could use OIDC or a custom HTTP Basic based implementation...