Feat: Implement JWT bearer token authentication

Protects image upload, delete, and tag-update endpoints behind Bearer token auth. Public read endpoints remain open. Angular SPA gains a login page, auth interceptor, and route guard for /upload. - JWTAuthProvider (HS256, sub/iat/exp, secrets.compare_digest) - POST /api/v1/auth/token login endpoint - require_auth FastAPI dependency on all write routes - AuthService, LoginComponent, authInterceptor, authGuard - Detail page hides write controls for unauthenticated visitors - 43 unit tests passing; integration tests require Docker stack Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-03 19:12:38 +00:00
parent d91a65abe5
commit 5fbbc1e67f
36 changed files with 3998 additions and 42 deletions
--- a/api/tests/integration/conftest.py
+++ b/api/tests/integration/conftest.py
@@ -1,12 +1,26 @@
+import os
 import pytest
 import pytest_asyncio
 from httpx import AsyncClient, ASGITransport
 from sqlalchemy.ext.asyncio import create_async_engine, AsyncSession, async_sessionmaker

+# Provide required settings for the test environment before any app imports resolve them
+os.environ.setdefault("JWT_SECRET_KEY", "test-secret-key-for-testing-only")
+os.environ.setdefault("OWNER_USERNAME", "testowner")
+os.environ.setdefault("OWNER_PASSWORD", "testpassword")
+
 from app.main import app
 from app.config import get_settings
 from app.database import Base
 from app.dependencies import get_db, get_storage, get_auth
+from app.auth.jwt_provider import JWTAuthProvider
+
+# Bust the LRU cache so get_settings() picks up the env vars set above
+get_settings.cache_clear()
+
+_TEST_JWT_SECRET = os.environ["JWT_SECRET_KEY"]
+_TEST_OWNER_USERNAME = os.environ["OWNER_USERNAME"]
+_TEST_OWNER_PASSWORD = os.environ["OWNER_PASSWORD"]


@pytest_asyncio.fixture(scope="session", loop_scope="session")
@@ -57,3 +71,40 @@ async def client(db_session):
        yield c

    app.dependency_overrides.clear()
+
+
+@pytest_asyncio.fixture
+async def jwt_auth_provider() -> JWTAuthProvider:
+    return JWTAuthProvider(
+        secret_key=_TEST_JWT_SECRET,
+        expiry_seconds=3600,
+        owner_username=_TEST_OWNER_USERNAME,
+        owner_password=_TEST_OWNER_PASSWORD,
+    )
+
+
+@pytest_asyncio.fixture
+async def authed_client(db_session, jwt_auth_provider):
+    from app.storage.s3_backend import S3StorageBackend
+
+    storage = S3StorageBackend()
+    auth = jwt_auth_provider
+
+    async def override_db():
+        yield db_session
+
+    def override_storage():
+        return storage
+
+    def override_auth():
+        return auth
+
+    app.dependency_overrides[get_db] = override_db
+    app.dependency_overrides[get_storage] = override_storage
+    app.dependency_overrides[get_auth] = override_auth
+
+    valid_token = auth.create_token()
+    async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as c:
+        yield c, valid_token
+
+    app.dependency_overrides.clear()