From 2a072c5ab70ccfb39e000e59fbfebd69914bcf70 Mon Sep 17 00:00:00 2001
From: Devanshu Rajesh Chicholikar <chicholikar.d@northeastern.edu>
Date: Sat, 7 Mar 2026 14:01:45 -0500
Subject: [PATCH] HOTFIX: AuthenticationError blocks API key auth fallback
 (OPE-91 root cause)

_validate_jwt caught AuthenticationError and raised HTTPException 401
immediately, preventing _validate_api_key from ever running.

ci_ API keys hit verify_jwt -> fail local decode -> fall back to
Supabase API call -> also fails -> raises AuthenticationError.
The middleware treated this as a hard failure instead of allowing
the API key path to try next.

Fix: catch AuthenticationError and return None (same as InvalidTokenError).
Root cause of all MCP 401 errors since day one.
---
 backend/middleware/auth.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/backend/middleware/auth.py b/backend/middleware/auth.py
index 5ef2ade..0a2d05b 100644
--- a/backend/middleware/auth.py
+++ b/backend/middleware/auth.py
@@ -88,8 +88,9 @@ def _validate_jwt(token: str) -> Optional[AuthContext]:
     except InvalidTokenError:
         # Could be a non-JWT token (API key) -- allow fallback
         return None
-    except AuthenticationError as e:
-        raise HTTPException(status_code=401, detail=str(e))
+    except AuthenticationError:
+        # Could be a non-JWT token (API key) -- allow fallback
+        return None
     except Exception:
         return None