The GitHub Actions job "Required Checks" on texera.git/refactor/jwt-filter-eager-401 has failed. Run started by GitHub user Yicong-Huang (triggered by Yicong-Huang).
Head commit for run: 7a95fbe079f241be4b8c3d5293906d7d556c149d / Yicong Huang <[email protected]> fix(auth): JwtAuthFilter eager-401 with @PermitAll opt-out Today JwtAuthFilter silently passes through any request that lacks a valid Bearer token; the 401 only surfaces later when Dropwizard's @Auth injection fails. amber's toastshaman path returns 401 directly from its filter with a WWW-Authenticate challenge — strictly more correct. Align the microservice filter: - No `Authorization: Bearer …` header → throw 401 with bare `WWW-Authenticate: Bearer realm="texera"` (RFC 6750 §3 challenge). - Header present but token verification / claim extraction fails → throw 401 with `error="invalid_token"` so a well-behaved client can discard the bad token instead of retrying. - Header present and valid → install SecurityContext as before. @PermitAll opt-out: a resource method (or class) annotated with `jakarta.annotation.security.PermitAll` skips the eager 401 only on the "no header" path. The `@Auth Optional[SessionUser]` parameter is then injected as empty. An invalid token still 401s on @PermitAll endpoints — a tampered or stale token is never silently treated as anonymous. The single in-tree consumer of the optional pattern is `file-service/.../DatasetResource.getDatasetCover` (anonymous read of public dataset covers); annotate it with @PermitAll. Failure is signaled by throwing WebApplicationException rather than abortWith — the JAX-RS-idiomatic shape, plus it composes with Dropwizard's WebApplicationExceptionCatchingFilter when reused elsewhere. Tests: 9-case JwtAuthFilterSpec covering required-auth (no header / non-Bearer / unverifiable / valid), method-level @PermitAll (unauthenticated → pass / invalid token → 401 / valid → SecurityContext), class-level @PermitAll, and resourceInfo-absent fallback to required-auth. Common/auth gains two test-scope deps (jakarta.annotation-api for @PermitAll inspection; jersey-common to provide a RuntimeDelegate so Response.build() works in unit tests without a Jersey runtime). Closes #4901 Report URL: https://github.com/apache/texera/actions/runs/25304917320 With regards, GitHub Actions via GitBox
