Skip to content

fix: guard user dict access when auth dependency returns True#743

Merged
jeremyzilar merged 5 commits into
stagingfrom
fix/bdms-932-bool-user-auth-guard
Jun 30, 2026
Merged

fix: guard user dict access when auth dependency returns True#743
jeremyzilar merged 5 commits into
stagingfrom
fix/bdms-932-bool-user-auth-guard

Conversation

@jeremyzilar

Copy link
Copy Markdown
Contributor

Summary

  • Fixes a crash in crud_helper.py and observation_helper.py where user["sub"] was called on a boolean True value, raising a TypeError
  • Adds a regression test to lock in the fix

Background

When running locally with AUTHENTIK_DISABLE_AUTHENTICATION=1, the auth dependency returns True instead of a claims dict like {"name": ..., "sub": ...}. The existing if user: guard passed for True, and the code then tried to subscript it (user["sub"]), which raised a TypeError.

Because this error happened after FastAPI had already started building the response, it bypassed the exception handlers entirely and Uvicorn returned a raw 500 with no CORS headers. This meant the frontend saw a CORS error rather than a real API error, making it very hard to debug.

Changes

  • services/crud_helper.py: Changed if user: to if isinstance(user, dict): in model_adder, model_patcher, and the notify_edit_event block
  • services/observation_helper.py: Same fix in observation_model_patcher
  • tests/test_contact.py: Regression test that overrides the auth dependency with True (matching what local dev does) and confirms PATCH /contact/:id returns 200

Test plan

  • Run pytest tests/test_contact.py and confirm the new test passes
  • Confirm existing contact tests still pass

When AUTHENTIK_DISABLE_AUTHENTICATION=1 the auth dependency returns True
instead of a claims dict. The previous `if user:` check passed for True,
then user["sub"] raised TypeError, which bypassed FastAPI error handling
and produced a raw 500 with no CORS headers. Changed to isinstance(user, dict)
in model_adder and model_patcher so the audit fields are only written when
a real claims dict is present.
Same isinstance(user, dict) fix applied to observation_model_patcher to
prevent TypeError when the auth dependency yields True in local dev.
Confirms the isinstance guard holds: when the auth dependency returns True
(as it does locally with AUTHENTIK_DISABLE_AUTHENTICATION=1), PATCH /contact
still returns 200 instead of a raw 500.
The Cypress CI runner calls python -m transfers.seed on each run. Without
skip_if_exists, seed_all tries to insert contacts even when they already
exist from a prior run, hitting the unique constraint on (name, organization)
and crashing. The guard was already implemented in seed_all but not used
at the call site.
@jeremyzilar jeremyzilar changed the title Fix TypeError crash when auth dependency returns True in local dev fix: guard user dict access when auth dependency returns True Jun 30, 2026

@chasetmartin chasetmartin left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks ok to me, just two spots in the crud_helper.py file where the same fix could be useful.

Comment thread services/crud_helper.py Outdated

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably worth updating the other if user instances in this file.

Comment thread services/crud_helper.py Outdated

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and here?

Same fix as model_patcher: the remaining `if user:` and
`if user and resource_type:` checks in model_adder and model_deleter
also pass for a boolean True, which would cause a TypeError if
notify_edit_event were ever reached. Consistent with the fix already
applied to model_patcher and observation_model_patcher.
@jeremyzilar jeremyzilar merged commit 1b0dccd into staging Jun 30, 2026
9 checks passed
@jeremyzilar jeremyzilar deleted the fix/bdms-932-bool-user-auth-guard branch June 30, 2026 21:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants