fix: review findings -- get_current_user catches domain exceptions, exception chaining, test exercises real code

DevanshuNEU · DevanshuNEU · commit 3c8003ab803e · 2026-02-24T12:18:40.000-05:00
1. get_current_user (legacy, used by logout + get_user_info routes)
   now catches domain exceptions. Was letting TokenExpiredError etc
   bubble up as 500s after our domain exception migration.
2. Exception chaining: jwt.ExpiredSignatureError etc now raise with
   'from e' so original PyJWT traceback is preserved for debugging.
3. Removed unused imports (InvalidCredentialsError, SignupError,
   SessionError) from auth.py. Will re-add when signup/login
   are migrated to domain exceptions.
4. test_search_with_null_user_id: now exercises the REAL null guard
   in dependencies.py instead of mocking verify_repo_access to
   return the answer. Overrides require_auth to return AuthContext
   with user_id=None, lets real verify_repo_access catch it.

289 tests pass.
diff --git a/backend/middleware/auth.py b/backend/middleware/auth.py
@@ -201,7 +201,12 @@ async def get_current_user(
     """
     from services.auth import get_auth_service
     auth_service = get_auth_service()
-    return auth_service.verify_jwt(credentials.credentials)
+    try:
+        return auth_service.verify_jwt(credentials.credentials)
+    except (TokenExpiredError, TokenMissingClaimError) as e:
+        raise HTTPException(status_code=401, detail=str(e))
+    except AuthenticationError:
+        raise HTTPException(status_code=401, detail="Invalid or expired token")
 
 
 async def get_optional_user(
diff --git a/backend/services/auth.py b/backend/services/auth.py
@@ -15,9 +15,6 @@
     TokenExpiredError,
     InvalidTokenError,
     TokenMissingClaimError,
-    InvalidCredentialsError,
-    SignupError,
-    SessionError,
 )
 
 
@@ -75,13 +72,13 @@ def _verify_local(self, token: str) -> Dict[str, Any]:
                 "metadata": payload.get("user_metadata") or {},
             }
         
-        except jwt.ExpiredSignatureError:
-            raise TokenExpiredError("Token expired")
-        except jwt.InvalidAudienceError:
-            raise InvalidTokenError("Invalid token audience")
+        except jwt.ExpiredSignatureError as e:
+            raise TokenExpiredError("Token expired") from e
+        except jwt.InvalidAudienceError as e:
+            raise InvalidTokenError("Invalid token audience") from e
         except jwt.InvalidTokenError as e:
             logger.debug("JWT decode failed", error=str(e))
-            raise InvalidTokenError("Invalid token")
+            raise InvalidTokenError("Invalid token") from e
     
     def _verify_via_api(self, token: str) -> Dict[str, Any]:
         """Fallback: verify via Supabase API call (requires network)."""
diff --git a/backend/tests/test_auth_hardening.py b/backend/tests/test_auth_hardening.py
@@ -7,20 +7,27 @@ class TestNullUserIdSafety:
     """API key users (no user_id) get 401, not confusing 404."""
 
     def test_search_with_null_user_id_returns_401(self, client, valid_headers):
-        """Search should reject None user_id, not pretend repo doesn't exist."""
-        with patch("routes.search.require_auth") as mock_auth, \
-             patch("routes.search.verify_repo_access") as mock_verify:
-            from middleware.auth import AuthContext
-            mock_auth.return_value = AuthContext(api_key_name="test-key", user_id=None)
-            # verify_repo_access should raise 401 when user_id is None
-            from fastapi import HTTPException
-            mock_verify.side_effect = HTTPException(status_code=401, detail="User ID required")
+        """Search should reject None user_id via the real verify_repo_access null guard."""
+        from fastapi.testclient import TestClient
+        from main import app
+        from middleware.auth import require_auth, AuthContext
+
+        # Mock auth to return a context with no user_id (API key user)
+        async def mock_auth_no_user():
+            return AuthContext(api_key_name="test-key", user_id=None)
+
+        app.dependency_overrides[require_auth] = mock_auth_no_user
+        try:
             resp = client.post(
                 "/api/v1/search",
                 json={"query": "auth", "repo_id": "test"},
                 headers=valid_headers,
             )
-        assert resp.status_code == 401
+            # verify_repo_access in dependencies.py should catch None user_id
+            assert resp.status_code == 401
+            assert "User ID required" in resp.json()["detail"]
+        finally:
+            app.dependency_overrides.pop(require_auth, None)
 
     def test_get_repo_or_404_rejects_none_user_id(self):
         """get_repo_or_404 should raise 401 when user_id is None."""
