hzhang
cacb1d2652
Local `require_admin` in users.py depended on `get_current_user`, which is OAuth2 JWT only. That made every admin-gated /users route (list, get, patch update, bind-agent, etc.) reject api-key clients with 401 even when the api-key resolves to an is_admin=True user. Switch to `get_current_user_or_apikey` (the one in deps.py) so X-API-Key and Bearer-as-apikey fallback both work. The admin gate itself still reads User.is_admin — only the auth carrier broadens. Matches the auth pattern schedule_type.py and other admin routes already use. Surfaced when sherlock (agent-resource-director) tried `hf user list` for the recruitment workflow Step 3 verify and got 401 "Could not validate credentials" despite a valid provisioned api-key.
22 KiB
22 KiB