Feat: Implement JWT bearer token authentication

Protects image upload, delete, and tag-update endpoints behind Bearer token auth. Public read endpoints remain open. Angular SPA gains a login page, auth interceptor, and route guard for /upload. - JWTAuthProvider (HS256, sub/iat/exp, secrets.compare_digest) - POST /api/v1/auth/token login endpoint - require_auth FastAPI dependency on all write routes - AuthService, LoginComponent, authInterceptor, authGuard - Detail page hides write controls for unauthenticated visitors - 43 unit tests passing; integration tests require Docker stack Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-03 19:12:38 +00:00
parent d91a65abe5
commit 5fbbc1e67f
36 changed files with 3998 additions and 42 deletions
--- a/api/tests/integration/test_public_access.py
+++ b/api/tests/integration/test_public_access.py
@@ -0,0 +1,71 @@
+"""
+US3 regression tests: all read endpoints must remain accessible without a token
+even after require_auth is applied to write endpoints.
+"""
+import io
+import uuid
+
+import pytest
+
+
+def _minimal_jpeg() -> bytes:
+    return (
+        b"\xff\xd8\xff\xe0\x00\x10JFIF\x00\x01\x01\x00\x00\x01\x00\x01\x00\x03"
+        b"\xff\xd9"
+    )
+
+
+@pytest.mark.asyncio
+async def test_list_images_without_token_is_200(authed_client):
+    client, _ = authed_client
+    response = await client.get("/api/v1/images")
+    assert response.status_code == 200
+
+
+@pytest.mark.asyncio
+async def test_get_image_without_token_is_200(authed_client):
+    client, token = authed_client
+    data = _minimal_jpeg()
+    upload = await client.post(
+        "/api/v1/images",
+        files={"file": ("pub-test.jpg", io.BytesIO(data), "image/jpeg")},
+        headers={"Authorization": f"Bearer {token}"},
+    )
+    image_id = upload.json()["id"]
+    response = await client.get(f"/api/v1/images/{image_id}")
+    assert response.status_code == 200
+
+
+@pytest.mark.asyncio
+async def test_serve_file_without_token_is_200(authed_client):
+    client, token = authed_client
+    data = _minimal_jpeg()
+    upload = await client.post(
+        "/api/v1/images",
+        files={"file": ("pub-file.jpg", io.BytesIO(data), "image/jpeg")},
+        headers={"Authorization": f"Bearer {token}"},
+    )
+    image_id = upload.json()["id"]
+    response = await client.get(f"/api/v1/images/{image_id}/file")
+    assert response.status_code == 200
+
+
+@pytest.mark.asyncio
+async def test_serve_thumbnail_without_token_is_200(authed_client):
+    client, token = authed_client
+    data = _minimal_jpeg()
+    upload = await client.post(
+        "/api/v1/images",
+        files={"file": ("pub-thumb.jpg", io.BytesIO(data), "image/jpeg")},
+        headers={"Authorization": f"Bearer {token}"},
+    )
+    image_id = upload.json()["id"]
+    response = await client.get(f"/api/v1/images/{image_id}/thumbnail")
+    assert response.status_code == 200
+
+
+@pytest.mark.asyncio
+async def test_list_tags_without_token_is_200(authed_client):
+    client, _ = authed_client
+    response = await client.get("/api/v1/tags")
+    assert response.status_code == 200