github-actions[bot] opened a new pull request, #67171: URL: https://github.com/apache/airflow/pull/67171
* Default-deny auth at the API and UI router level Add `dependencies=[Depends(get_user)]` to `authenticated_router` (parent of every route under `/api/v2` except the explicit no-auth carve-outs `monitor_router`, `version_router`, and the public `auth_router`) and to `ui_router` (every route under `/ui`). Today every authenticated route already declares `GetUserDep` or a `requires_access_*` dependency that itself depends on `get_user`, so this is purely additive — FastAPI deduplicates the dependency via its per-request cache, so each request still resolves `get_user` once. The value is preventing a future route from being added under either router without an auth check: the router-level dependency catches the regression at registration time rather than at audit time. Add a structural test that asserts both routers carry the router-level `Depends(get_user)`, so a future refactor that drops the dependency without considering its purpose fails the test rather than silently widening the unauthenticated surface. * Move test imports to top of file Address review feedback from @Lee-W on PR #66505. (cherry picked from commit aa8542f69ad936906e39d0e28b677a676e74142f) Co-authored-by: Jarek Potiuk <[email protected]> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
