Make Keycloak authentication optional for local development

When KEYCLOAK_URL is not set, the dashboard runs without auth, treating all users as authenticated "Local User". Auth middleware and check-auth endpoint gracefully skip when Keycloak is unconfigured. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-08 14:32:29 +01:00
parent 94552d1626
commit b8b0f13d8d
6 changed files with 56 additions and 23 deletions
--- a/compliance-dashboard/src/infrastructure/auth_middleware.rs
+++ b/compliance-dashboard/src/infrastructure/auth_middleware.rs
@@ -2,18 +2,30 @@ use axum::{
    extract::Request,
    middleware::Next,
    response::{IntoResponse, Response},
+    Extension,
 };
 use reqwest::StatusCode;
 use tower_sessions::Session;

 use super::auth::LOGGED_IN_USER_SESS_KEY;
+use super::server_state::ServerState;
 use super::user_state::UserStateInner;

 const PUBLIC_API_ENDPOINTS: &[&str] = &["/api/check-auth"];

 /// Axum middleware that enforces authentication on `/api/` server
-/// function endpoints.
-pub async fn require_auth(session: Session, request: Request, next: Next) -> Response {
+/// function endpoints. Skips auth entirely when Keycloak is not configured.
+pub async fn require_auth(
+    Extension(state): Extension<ServerState>,
+    session: Session,
+    request: Request,
+    next: Next,
+) -> Response {
+    // Skip auth when Keycloak is not configured
+    if state.keycloak.is_none() {
+        return next.run(request).await;
+    }
+
    let path = request.uri().path();

    if path.starts_with("/api/") && !PUBLIC_API_ENDPOINTS.contains(&path) {