fix: review findings -- jwt alias, explicit None check, test cleanup

1. 'import jwt as pyjwt' to avoid name collision with our
   services.exceptions.InvalidTokenError. Now pyjwt.InvalidTokenError
   vs InvalidTokenError is unambiguous.
2. 'if user_id is None' instead of 'if not user_id' in dependencies.py.
   Empty string user_ids (unlikely but possible) no longer rejected.
3. Replaced __import__('fastapi').HTTPException hack in test with
   proper import.

Skipped: signup/login HTTPException migration (scope creep, separate
PR), async _verify_via_api (6th time raised), _validate_jwt bare
except (intentional for API key fallback).

289 tests pass.

Author: DevanshuNEU

backend/dependencies.py

@@ -49,7 +49,7 @@ def get_repo_or_404(repo_id: str, user_id: Optional[str]) -> dict:
     Get repository with ownership verification.
     Raises 401 if user_id is None, 404 if not found or user doesn't own it.
     """
-    if not user_id:
+    if user_id is None:
         raise HTTPException(status_code=401, detail="User ID required for this operation")
     repo = repo_manager.get_repo_for_user(repo_id, user_id)
     if not repo:
@@ -62,7 +62,7 @@ def verify_repo_access(repo_id: str, user_id: Optional[str]) -> None:
     Verify user has access to repository.
     Raises 401 if user_id is None, 404 if no access.
     """
-    if not user_id:
+    if user_id is None:
         raise HTTPException(status_code=401, detail="User ID required for this operation")
     if not repo_manager.verify_ownership(repo_id, user_id):
         raise HTTPException(status_code=404, detail="Repository not found")

backend/services/auth.py

@@ -5,7 +5,7 @@
 from fastapi import HTTPException, status
 from typing import Optional, Dict, Any
 import os
-import jwt
+import jwt as pyjwt
 from datetime import datetime
 from supabase import create_client, Client
 
@@ -54,7 +54,7 @@ def verify_jwt(self, token: str) -> Dict[str, Any]:
     def _verify_local(self, token: str) -> Dict[str, Any]:
         """Decode and verify JWT locally with HS256 secret."""
         try:
-            payload = jwt.decode(
+            payload = pyjwt.decode(
                 token,
                 self.jwt_secret,
                 algorithms=["HS256"],
@@ -72,11 +72,11 @@ def _verify_local(self, token: str) -> Dict[str, Any]:
                 "metadata": payload.get("user_metadata") or {},
             }
 
-        except jwt.ExpiredSignatureError as e:
+        except pyjwt.ExpiredSignatureError as e:
             raise TokenExpiredError("Token expired") from e
-        except jwt.InvalidAudienceError as e:
+        except pyjwt.InvalidAudienceError as e:
             raise InvalidTokenError("Invalid token audience") from e
-        except jwt.InvalidTokenError as e:
+        except pyjwt.InvalidTokenError as e:
             logger.debug("JWT decode failed", error=str(e))
             raise InvalidTokenError("Invalid token") from e
 

backend/tests/test_auth_hardening.py

@@ -1,6 +1,7 @@
 """Tests for auth hardening -- domain exceptions + null safety (OPE-76, OPE-77)."""
 import pytest
 from unittest.mock import patch, MagicMock
+from fastapi import HTTPException
 
 
 class TestNullUserIdSafety:
@@ -55,7 +56,7 @@ def test_expired_token_raises_domain_exception(self):
         """Auth service should raise TokenExpiredError, not HTTPException."""
         from services.exceptions import TokenExpiredError
         assert issubclass(TokenExpiredError, Exception)
-        assert not issubclass(TokenExpiredError, __import__('fastapi').HTTPException)
+        assert not issubclass(TokenExpiredError, HTTPException)
 
     def test_exception_hierarchy(self):
         """All auth exceptions inherit from AuthenticationError."""