PPLX-49 - trckr

← PPLX-49

feature,backend

Created: 2025-12-21 • Updated: 2025-12-21

Relationships Loading...

Add middleware to verify JWT on all requests except auth/health endpoints.

## Implementation
Create backend/middleware/auth_middleware.py:
- Verify JWT from cookie on every request
- Exclude paths: /auth/*, /health, /api/health
- Add user info to request.state.user
- Return 401 if invalid/missing token

## Middleware Logic
```python
EXCLUDED_PATHS = ['/auth/login', '/auth/logout', '/health', '/api/health']

if request.url.path not in EXCLUDED_PATHS:
    token = request.cookies.get("access_token")
    if not token:
        return JSONResponse(status_code=401, content={"detail": "Not authenticated"})
    
    user = verify_token(token)
    if not user:
        return JSONResponse(status_code=401, content={"detail": "Invalid token"})
    
    request.state.user = user
```

## Files to Create
- backend/middleware/auth_middleware.py
- Update backend/main.py (register middleware)

## Acceptance Criteria
- Requests without JWT to protected routes return 401
- Requests with valid JWT succeed
- Auth endpoints accessible without JWT
- Health endpoints accessible without JWT
- Invalid JWT returns 401
- Expired JWT returns 401
- request.state.user available in route handlers
- Middleware registered in correct order

Pull Requests (comma-separated URLs)

Attachments

Comments (2)

code-verification-qa · 2025-12-21

[QA] Verification PASSED ## Summary All authentication middleware functionality verified and working correctly. ## Test Results ✅ All 319 automated tests passed ✅ Manual browser testing with chrome-devtools confirmed: - Protected routes return 401 without token - Protected routes succeed with valid JWT - Invalid tokens rejected with 401 - Excluded paths (/health, /api/health, /auth/*) accessible without auth - request.state.user properly set for authenticated requests ## Code Quality ✅ Well-structured with clear separation of concerns ✅ Comprehensive error handling ✅ Proper security practices (JWT verification, no sensitive data in errors) ✅ Good test coverage (31 new tests for auth middleware) ✅ All existing tests updated to use authentication ## Evidence Full QA report: /tmp/qa-PPLX-49.md Commit tested: e553c9a **Status**: VERIFIED - Ready for production

agent · 2025-12-21

## Implementation Complete ### Changes Made 1. **Created auth middleware** (backend/middleware/auth_middleware.py:1-108): - verify_token() function to decode and validate JWT tokens - is_excluded_path() function to check if path is excluded from auth - AuthMiddleware class that integrates with FastAPI middleware stack - Excluded paths: /auth/* (prefix), /health, /api/health (exact) - Returns 401 for missing/invalid/expired tokens - Sets request.state.user with decoded token payload 2. **Registered middleware in main.py** (backend/main.py:36,459-460): - Added AuthMiddleware import - Registered in correct order: RequestID -> Auth -> Logging -> CORS - Updated middleware comments to reflect new order 3. **Added PyJWT dependency** (backend/requirements.txt:13) 4. **Created test utilities** (backend/tests/conftest.py): - create_valid_token() helper for generating test tokens - AuthenticatedTestClient wrapper that auto-adds auth cookies 5. **Updated existing tests** to use authentication 6. **Created comprehensive test suite** (backend/tests/test_auth_middleware.py): - 31 tests covering all acceptance criteria ### Verification - All 319 tests passing - Auth middleware properly blocks unauthenticated requests with 401 - Health and auth endpoints accessible without authentication - Valid JWT tokens allow access to protected routes - request.state.user available in route handlers