Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

Wire JWT middleware to all FastAPI routes #4

New Issue
Open
opened 2026-04-20 09:34:08 +00:00 by sharang · 0 comments
sharang commented 2026-04-20 09:34:08 +00:00
Owner
Copy Link
Copy Source

Problem

auth/keycloak_auth.py implements Keycloak JWT validation but it is not wired to any route in backend-compliance/compliance/api/. Every endpoint is currently publicly callable without a Bearer token.

Grep confirms: zero uses of Depends(get_current_user) or @require_auth across all API route files.

Required Actions

  1. Create a FastAPI dependency get_current_user in compliance/api/dependencies.py that validates the Bearer token against Keycloak's JWKS endpoint
  2. Add current_user: User = Depends(get_current_user) to every router that is not intentionally public
  3. Public exceptions (health checks, OpenAPI schema) must be explicitly listed
  4. Return 401 for missing/invalid tokens, 403 for valid token with insufficient scope

Files to Change

  • compliance/api/dependencies.py (create)
  • Every router file under compliance/api/ (~20 files)
  • main.py — add global exception handler for auth errors

Acceptance Criteria

  • curl -X GET https://api-dev.breakpilot.ai/api/v1/compliance/controls returns 401
  • Authenticated requests with valid Keycloak token succeed
  • CI test added: test_all_routes_require_auth
## Problem `auth/keycloak_auth.py` implements Keycloak JWT validation but it is not wired to any route in `backend-compliance/compliance/api/`. Every endpoint is currently publicly callable without a Bearer token. Grep confirms: zero uses of `Depends(get_current_user)` or `@require_auth` across all API route files. ## Required Actions 1. Create a FastAPI dependency `get_current_user` in `compliance/api/dependencies.py` that validates the Bearer token against Keycloak's JWKS endpoint 2. Add `current_user: User = Depends(get_current_user)` to every router that is not intentionally public 3. Public exceptions (health checks, OpenAPI schema) must be explicitly listed 4. Return 401 for missing/invalid tokens, 403 for valid token with insufficient scope ## Files to Change - `compliance/api/dependencies.py` (create) - Every router file under `compliance/api/` (~20 files) - `main.py` — add global exception handler for auth errors ## Acceptance Criteria - `curl -X GET https://api-dev.breakpilot.ai/api/v1/compliance/controls` returns 401 - Authenticated requests with valid Keycloak token succeed - CI test added: `test_all_routes_require_auth`
sharang added this to the M1: Security Foundation milestone 2026-04-20 09:34:08 +00:00
sharang added the severity: highsecurity labels 2026-04-20 09:34:08 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
config
Env vars, secrets management, startup validation
 data-integrity
Transactions, indexes, pagination
 frontend
Next.js, client-side concerns
 observability
Logging, audit trails, health checks
 reliability
Error handling, retries, circuit breakers
 security
Auth, secrets, injection, tenant isolation
 severity: critical
System-level risk, data breach or full outage
 severity: high
Significant risk, must fix before go-live
 severity: medium
Important but not blocking go-live
 testing
Test coverage, integration tests
No Label security severity: high
Milestone
No items
No Milestone M1: Security Foundation
Projects
Clear projects
No project
Assignees
Clear assignees
sharang (Sharang Parnerkar) Benjamin_Boenisch
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Benjamin_Boenisch/breakpilot-compliance#4
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?