HOTFIX: API key auth was broken -- AuthenticationError blocked fallback path

[DevanshuNEU]

Production bug -- MCP 401 on every request

One line in middleware/auth.py was blocking ALL API key authentication since day one.

Root cause

# BEFORE (broken): AuthenticationError raises 401, API key path never runs
except AuthenticationError as e:
    raise HTTPException(status_code=401, detail=str(e))

# AFTER (fixed): allows fallback to _validate_api_key
except AuthenticationError:
    return None

When a ci_ API key hits _validate_jwt, it fails local JWT decode, then falls back to Supabase API verification, which also fails and raises AuthenticationError. This was caught and immediately raised HTTP 401 -- the _validate_api_key function never got a chance to run.

Impact

• Every MCP tool call returned 401
• The remote MCP server (deployed in PR feat: remote MCP server via Streamable HTTP + api_keys table (OPE-91) #284) was healthy but backend rejected all API keys
• This bug existed since the auth middleware was written

Fix

1 file, 3 lines changed. Catch AuthenticationError and return None (same as InvalidTokenError) to allow the API key fallback path.

392 backend tests pass.

Summary by CodeRabbit

• Bug Fixes
  • Authentication now falls back to API key validation when JWT authentication fails, reducing unnecessary immediate rejections and improving successful request handling.

[vercel]

@DevanshuNEU is attempting to deploy a commit to the Dev's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: ac03eedd-88bc-42b9-b627-00599afeb105

📥 Commits

Reviewing files that changed from the base of the PR and between db69945 and 2a072c5.

📒 Files selected for processing (1)

• backend/middleware/auth.py

🚧 Files skipped from review as they are similar to previous changes (1)

• backend/middleware/auth.py

---

📝 Walkthrough

Walkthrough

Modified JWT validation in the authentication middleware: _validate_jwt now returns None on AuthenticationError instead of raising an HTTP 401, allowing the request to continue and enabling fallback to API key validation.

Changes

Cohort / File(s)	Summary
JWT Fallback Logic backend/middleware/auth.py	Changed _validate_jwt behavior to return None on AuthenticationError (previously raised HTTP 401), preserving fallback paths (e.g., API key validation) instead of terminating with 401.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Middleware as Auth Middleware
    participant JWT as JWT Validator
    participant APIKey as API Key Validator
    participant App as Application

    Client->>Middleware: Send request with auth header
    Middleware->>JWT: Validate JWT
    alt JWT valid
        JWT-->>Middleware: Return user info
        Middleware->>App: Forward authenticated request
    else JWT invalid or AuthenticationError (now returns None)
        JWT-->>Middleware: Return None
        Middleware->>APIKey: Check API key
        alt API key valid
            APIKey-->>Middleware: Return API key identity
            Middleware->>App: Forward authenticated request
        else
            APIKey-->>Middleware: Reject
            Middleware-->>Client: Respond 401
        end
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• fix: auth hardening -- domain exceptions + null user_id safety (OPE-76, OPE-77) #259: Also modifies backend/middleware/auth.py's _validate_jwt exception handling and JWT→API-key fallback behavior.

Poem

🐰 I hopped through headers, found a sigh—

JWT returned None, not a cry,
Keys in the burrow waited near,
Fallback ready, calm and clear,
🥕 hopping on, the request went by.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: fixing a production bug where AuthenticationError in JWT validation was blocking the fallback to API key authentication.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
opencodeintel	Ignored	Preview	Mar 7, 2026 7:08pm