feat(auth): deny-by-default gate middleware + require_role
Adds operator_gate Starlette HTTP middleware that gates every route except an explicit allow-list. Flag defaults OFF so all existing behaviour and tests are unchanged. wire_operator_auth helper in conftest lets tests monkeypatch the module-global SessionLocal and flag, keeping the gate's own DB session pointed at the test engine. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -89,6 +89,12 @@ async def add_environment_to_context(request: Request, call_next):
|
||||
response = await call_next(request)
|
||||
return response
|
||||
|
||||
# Operator auth — deny-by-default gate over the whole internal app. Governed by
|
||||
# OPERATOR_AUTH_ENABLED (default off → behaves exactly as today). See
|
||||
# docs/superpowers/specs/2026-06-17-operator-auth-design.md.
|
||||
from backend.operator_auth import operator_gate
|
||||
app.middleware("http")(operator_gate)
|
||||
|
||||
# Override TemplateResponse to include environment and version in context
|
||||
original_template_response = templates.TemplateResponse
|
||||
def custom_template_response(name, context=None, *args, **kwargs):
|
||||
|
||||
Reference in New Issue
Block a user