zhi/HarborForge.Backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(users): admin-gated /users routes accept api-key auth #23

Merged
hzhang merged 1 commits from fix/users-require-admin-accept-apikey into main 2026-05-29 07:55:45 +00:00
Conversation 0 Commits 1 Files Changed 1 +5 -1
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit cacb1d2652 - Show all commits

6
app/api/routers/users.py
View File

@@ -39,7 +39,11 @@ def _user_response(user: models.User) -> dict:
return data
def require_admin(current_user: models.User = Depends(get_current_user)):
def require_admin(current_user: models.User = Depends(get_current_user_or_apikey)):
# Accept either OAuth2 JWT or X-API-Key (incl. Bearer-as-apikey fallback)
# so CLI clients using their provisioned api-key can hit admin-gated user
# routes (list / get / update / patch). The admin gate still reads
# User.is_admin — only the auth carrier broadens.
if not current_user.is_admin:
raise HTTPException(status_code=403, detail="Admin required")
return current_user