fix: skip inline auth check in GetTenantProvisioningStatus when no claims present (#1297)

GetTenantProvisioningStatus had an inline auth check that returned
codes.Unauthenticated when no claims existed in context. In the unified
binary (dev/CI mode) without auth middleware, claims are never present,
so this endpoint always returned Unauthenticated. The frontend's global
401 handler (added in #1280) caught this and called logout(), redirecting
all tenant detail page E2E tests to the login screen.

The fix skips the authorization check when no claims are in context,
consistent with other tenant endpoints like RetrieveTenant. Auth
enforcement is handled by middleware when configured.

Co-authored-by: Ben Coombs <bjcoombs@users.noreply.github.com>

Author: bjcoombs

services/tenant/service/grpc_service.go

@@ -583,31 +583,30 @@ func (s *Service) GetTenantProvisioningStatus(ctx context.Context, req *pb.GetTe
 	s.logger.Debug("getting tenant provisioning status",
 		"tenant_id", req.TenantId)
 
-	// Authorization check - must be performed before any business logic.
+	// Authorization check - when auth middleware is configured, enforce tenant isolation.
+	// When no claims are present (e.g., unified binary without auth middleware), skip
+	// authorization consistent with other tenant endpoints like RetrieveTenant.
 	claims, ok := auth.GetClaimsFromContext(ctx)
-	if !ok {
-		s.logger.Warn("provisioning status query attempted without authentication claims")
-		return nil, status.Error(codes.Unauthenticated, "authentication required")
-	}
-
-	// Check authorization: either tenant-scoped access OR platform admin role
-	hasAdminRole := claims.HasRole(auth.RolePlatformAdmin) || claims.HasRole(auth.RoleSuperAdmin)
-	hasTenantAccess := claims.HasTenantID() && claims.TenantID == req.TenantId
+	if ok {
+		// Check authorization: either tenant-scoped access OR platform admin role
+		hasAdminRole := claims.HasRole(auth.RolePlatformAdmin) || claims.HasRole(auth.RoleSuperAdmin)
+		hasTenantAccess := claims.HasTenantID() && claims.TenantID == req.TenantId
+
+		if !hasAdminRole && !hasTenantAccess {
+			s.logger.Warn("unauthorized provisioning status query attempt",
+				"user_id", claims.UserID,
+				"requested_tenant", req.TenantId,
+				"user_tenant", claims.TenantID,
+				"roles", claims.Roles)
+			return nil, status.Error(codes.PermissionDenied, "access denied: must be tenant owner or platform administrator")
+		}
 
-	if !hasAdminRole && !hasTenantAccess {
-		s.logger.Warn("unauthorized provisioning status query attempt",
+		s.logger.Debug("provisioning status query authorized",
 			"user_id", claims.UserID,
-			"requested_tenant", req.TenantId,
-			"user_tenant", claims.TenantID,
-			"roles", claims.Roles)
-		return nil, status.Error(codes.PermissionDenied, "access denied: must be tenant owner or platform administrator")
+			"tenant_id", req.TenantId,
+			"admin_access", hasAdminRole)
 	}
 
-	s.logger.Debug("provisioning status query authorized",
-		"user_id", claims.UserID,
-		"tenant_id", req.TenantId,
-		"admin_access", hasAdminRole)
-
 	// Validate tenant ID
 	tenantID, err := tenant.NewTenantID(req.TenantId)
 	if err != nil {

services/tenant/service/grpc_service_test.go

@@ -1560,20 +1560,20 @@ func TestGetTenantProvisioningStatus_MissingClaims(t *testing.T) {
 	svc, _, cleanup := setupTest(t)
 	defer cleanup()
 
-	// Context without claims
+	// Context without claims - should skip authorization (consistent with
+	// other tenant endpoints when running without auth middleware).
 	ctx := context.Background()
 
-	// Execute
+	// Execute - request proceeds without auth, but tenant doesn't exist
 	resp, err := svc.GetTenantProvisioningStatus(ctx, &pb.GetTenantProvisioningStatusRequest{
 		TenantId: "test_tenant",
 	})
 
-	// Assert
+	// Assert - should get NotFound (not Unauthenticated) since auth is skipped
 	require.Error(t, err)
 	st, ok := status.FromError(err)
 	require.True(t, ok, "error should be a gRPC status")
-	assert.Equal(t, codes.Unauthenticated, st.Code())
-	assert.Contains(t, st.Message(), "authentication required")
+	assert.Equal(t, codes.NotFound, st.Code())
 	assert.Nil(t, resp)
 }