Fix RBAC security concerns and clean up decorator docstrings #168
No reviewers
Labels
No labels
CI/CD
MongoDB
PostgreSQL
api
authentication
bug
documentation
duplicate
enhancement
example issue
fix
good first issue
help wanted
high-level requirement
infrastructure
invalid
low-level requirement
medium-level requirement
question
security
test
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
AndreFerreira5/starranja!168
Loadingā¦
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "copilot/sub-pr-161"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Addressed feedback from resolved comments and critical security concerns in the RBAC implementation.
Changes
Code Cleanup
src/routes/users.py: Removedprefix="/users"from APIRouter - FastAPI automatically uses filename for route prefix, making this redundant and causing/users/userspathssrc/authentication/decorators.py: Removed verbose AI-generated comments including:token_required()docstringget_current_user()docstringSecurity Enhancements
1. Production Safety for /auth/bootstrap-admin
dev_routerfor development-only endpoints/auth/bootstrap-adminis now excluded at router registration level whenENVIRONMENT=production2. Test Suite Reliability
admin_tokenfixture frompytest.skip()topytest.fail()whenENVIRONMENT=production3. Error Semantics for Malformed Tokens
4. Logging Improvements
5. Breaking Change Documentation
/auth/registernow requires RBAC authentication (admin/manager roles)Before/After
Route Prefix
Bootstrap Endpoint Security
All linting and formatting checks pass.
š¬ We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.
@copilot this is also wrong, fix it:
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.
...
All security concerns addressed in commit
fe1e588:1. Bootstrap-admin protection (Resolved)
dev_routerexcluded at router registration levelENVIRONMENT != "production"2. Test suite production safety (Resolved)
admin_tokenfixture now usespytest.fail()instead ofpytest.skip()ENVIRONMENT=production, preventing false-positive CI3. Breaking change documentation (Resolved)
/auth/register4. Malformed token error semantics (Resolved)
5. Sensitive data in logs (Resolved)
logger.errortologger.warningfor malformed tokensAll linting/formatting checks pass. Ready for review.
Pull request overview
This PR addresses critical RBAC security concerns and cleans up decorator docstrings. The main focus is on preventing the
/auth/bootstrap-adminendpoint from being available in production through router-level exclusion, improving test reliability by failing loudly on environment misconfiguration, and treating malformed tokens as authentication failures (401) rather than server errors (500).Key Changes:
dev_routerthat is conditionally registered only in non-production environmentspytest.fail()instead ofpytest.skip()to prevent false-positive CI results from silent test skippingReviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
tests/conftest.pyadmin_tokenfixture to fail loudly when ENVIRONMENT=production instead of silently skipping tests, preventing false-positive CI resultssrc/routes/users.pyprefix="/users"from APIRouter (prefix is set in main.py during router registration)src/routes/auth.pydev_routerfor bootstrap-admin endpoint and reduced logging verbosity by removing user roles from audit logssrc/main.pysrc/authentication/decorators.pyREADME.mdš” Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
@ -26,0 +32,4 @@- **Previous behavior**: Public endpoint - anyone could register a new user- **New behavior**: Protected endpoint - requires authentication with admin, gerente, or mecanico_gerente rolesThe role name "gerente" appears in the README documentation but should be verified for consistency. The PR description mentions "admin/manager roles" but the actual role names in the code are "admin", "gerente", and "mecanico_gerente". Using Spanish "gerente" while the rest of the documentation is in English could be confusing for API consumers. Consider documenting all valid role names explicitly or using consistent language.
The use of
getattr(settings, "ENVIRONMENT", "production")is unnecessary because theSettingsclass insrc/config.pyalready definesENVIRONMENT: str = "production"as a field with a default value. The attribute is guaranteed to exist, so this can be simplified tosettings.ENVIRONMENT.lower()for consistency with how it's accessed insrc/main.pyline 66.The logging message at line 234 was changed to remove the user's roles array, which is good for reducing sensitive data exposure. However, the log message "User registration requested by user_id: %s" could be more informative by including the target username being registered. Consider: "User registration requested by user_id: %s for username: %s" to maintain audit capability while avoiding logging the requester's roles.
@ -263,0 +263,4 @@# Check if we're in production mode - fail loudly if soenv_value = os.getenv("ENVIRONMENT", "").lower()if env_value == "production":pytest.fail(The environment check uses
os.getenv("ENVIRONMENT", "").lower()which defaults to empty string if the environment variable is not set. An empty string would not equal "production", so the test would proceed. However, insrc/routes/auth.pyline 148, the code usesgetattr(settings, "ENVIRONMENT", "production")which defaults to "production" if unset. This inconsistency means the test fixture might allow tests to run when ENVIRONMENT is unset, but the bootstrap endpoint would block them. Consider using the same default value ("production") in both places for defense-in-depth, or documenting why they differ.