fix: require auth for next-task endpoint

[joryirving]

Closes #410

[its-saffron]

AI Automated Review

Full PR review.

Analysis engine: MiniMax-M2.7@https://litellm.jory.dev/v1 (anthropic) — routed smart (risk match: public_route_changes)

PR Review: PR 427 — fix: require auth for next-task endpoint

Summary

This PR closes a P1 security finding from the weekly tech debt audit by adding authorizeRequest authentication to the GET /api/agents/[agentName]/next-task endpoint, which was previously unauthenticated.

Change-by-Change Findings

src/app/api/agents/[agentName]/next-task/route.ts (+6 lines)

• Imports authorizeRequest from @/lib/auth
• Adds an explicit auth guard at the top of the GET handler: returns 401 Unauthorized when authorizeRequest(request).authorized is false
• The check executes before any database queries, ensuring no data is exposed to unauthenticated callers

src/app/api/agents/[agentName]/next-task/route.test.ts (+165 / -54 lines)

• Mocks auth helpers (isAuthorizedAgentToken, isAuthorizedBearerToken, getAcceptedAgentTokens, resetAuthCaches) to isolate auth logic
• Introduces a request() helper that includes the Bearer token by default and allows includeAuth=false to simulate unauthenticated calls
• Adds a new describe("auth", ...) block with five test cases:
  1. Returns 401 when no Authorization header is provided
  2. Returns 401 when the Bearer token is incorrect
  3. Returns 200 with valid Bearer token for normal worker (lane=normal)
  4. Returns 200 with valid Bearer token for groom mode (mode=groom)
  5. Confirms unauthorized requests short-circuit before calling issueFindMany, prFixFindMany, or findLeasedIssueIds

Required Check Results

1. Verify route access controls are in place ✅ VERIFIED

   • The route now calls authorizeRequest(request) and returns 401 on failure
   • authorizeRequest from src/lib/auth.ts supports multiple auth modes: Basic Auth, Bearer token (via DISPATCH_AGENT_TOKEN), and OIDC sessions — consistent with the AGENTS.md contract for agent API authentication
   • Auth guard executes before any database reads, so no data leakage is possible

2. Check for unintended public endpoints ✅ VERIFIED

   • Only the next-task endpoint is modified; no other routes are changed
   • No endpoint was made public — auth was added, not removed
   • The PR title and linked issue both confirm the intent: closing a public-endpoint vulnerability, not introducing one

Linked Issue Fit

Issue PR 410 specified: "Add authorizeRequest (Bearer or basic) to GET /api/agents/[agentName]/next-task" — this PR delivers exactly that. The issue also flagged that agent queue/lease identifiers were exposed without auth; the test confirms unauthorized requests are rejected before any such data is queried.

Standards Compliance

• AGENTS.md documents that agent API routes accept DISPATCH_AGENT_TOKEN bearer auth — this implementation is consistent
• No agent-specific names in generic docs: not applicable to this change
• API routes return appropriate HTTP status codes: 401 returned on unauthorized access
• Error handling uses NextResponse.json with an error body — consistent with codebase patterns
• All existing tests were updated to include auth headers; new auth tests cover 401 and 200 cases

CI / Tests

CI completed successfully (Docker Build: success, Validate: success). The test suite now explicitly covers:

• Missing auth → 401
• Wrong token → 401
• Valid token → 200 (normal and groom modes)
• Auth failure short-circuits before any expensive DB queries

Recommendation

Approve. The PR correctly closes the P1 audit finding by adding bearer token authentication to the next-task endpoint. Auth is enforced before any data access, test coverage is thorough, and no unintended public endpoints were introduced.