fix(projects): perm-gate create + apikey-via-Bearer + introspect with apikey

Three coupled fixes so non-admin agents (e.g. nav, role=mgr) can actually create projects through hf-cli with their API key: 1. POST /projects no longer hardcodes is_admin. It checks the global `project.create` perm via role_permissions (admin still wins via is_admin short-circuit). Permission-denied 403 message names the exact perm. 2. /auth/me/permissions now uses get_current_user_or_apikey (was get_current_user JWT-only). This is what hf-cli hits to populate its local permission cache that drives the "not permitted" gate; previously every API-key-authed agent saw all commands as gated. 3. get_current_user_or_apikey now also accepts an API key delivered via Authorization: Bearer (in addition to X-API-Key). hf-cli only knows Bearer; trying to JWT-decode an API key string would fail — so on decode failure, fall through to the API key lookup. Keeps X-API-Key behavior unchanged. 4. init_bootstrap: add `project.create` to DEFAULT_PERMISSIONS and to _MGR_PERMISSIONS so admin (auto-all) + mgr both get it on seed. Bug came to light when manager-agent reported `hf project list`/`create` returned `not permitted`. Root cause: hf-cli calls /auth/me/permissions with the API key via Bearer header → 401 → state.Known=false → every command in the surface is gated false locally. Even after the local gate, POST /projects would still 403 due to the hardcoded admin check. All four steps above are required end-to-end. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-24 22:09:34 +01:00
parent 01f6b562e1
commit d2b83ad58d
4 changed files with 53 additions and 13 deletions
--- a/app/api/deps.py
+++ b/app/api/deps.py
@@ -59,22 +59,43 @@ async def get_current_user(token: str = Depends(oauth2_scheme), db: Session = De
    return user


+def _lookup_api_key(db: Session, key: str) -> models.User | None:
+    """Resolve an API key string to a User; mark last_used_at on hit."""
+    if not key:
+        return None
+    key_obj = db.query(APIKey).filter(APIKey.key == key, APIKey.is_active == True).first()  # noqa: E712
+    if not key_obj:
+        return None
+    key_obj.last_used_at = datetime.utcnow()
+    db.commit()
+    return db.query(models.User).filter(models.User.id == key_obj.user_id).first()
+
+
 async def get_current_user_or_apikey(
    token: str = Depends(oauth2_scheme),
    api_key: str = Depends(apikey_header),
    db: Session = Depends(get_db)
 ):
-    """Authenticate via JWT token OR API key."""
+    """Authenticate via JWT token (Authorization: Bearer <jwt>) OR API key
+    (X-API-Key: <key>, OR — as a convenience for CLI clients that only know
+    Bearer — Authorization: Bearer <api-key>; falls back when JWT decode fails).
+    """
+    # Native X-API-Key header
    if api_key:
-        key_obj = db.query(APIKey).filter(APIKey.key == api_key, APIKey.is_active == True).first()
-        if key_obj:
-            key_obj.last_used_at = datetime.utcnow()
-            db.commit()
-            user = db.query(models.User).filter(models.User.id == key_obj.user_id).first()
+        user = _lookup_api_key(db, api_key)
+        if user:
+            return user
+
+    # Bearer header — try JWT first, then API key on decode failure
+    if token:
+        try:
+            return await get_current_user(token=token, db=db)
+        except HTTPException:
+            user = _lookup_api_key(db, token)
            if user:
                return user
-    if token:
-        return await get_current_user(token=token, db=db)
+            raise
+
    raise HTTPException(status_code=401, detail="Not authenticated")