refactor(auth): consolidate PUBLIC_MODE and mutation guards into reusable helpers (#909)

* refactor(auth): consolidate PUBLIC_MODE and mutation guards into reusable helpers

* fix: fix websocket test override

Author: yamijuan

server/reflector/auth/__init__.py

@@ -12,6 +12,7 @@
 authenticated = auth_module.authenticated
 current_user = auth_module.current_user
 current_user_optional = auth_module.current_user_optional
+current_user_optional_if_public_mode = auth_module.current_user_optional_if_public_mode
 parse_ws_bearer_token = auth_module.parse_ws_bearer_token
 current_user_ws_optional = auth_module.current_user_ws_optional
 verify_raw_token = auth_module.verify_raw_token

server/reflector/auth/auth_jwt.py

@@ -129,6 +129,17 @@ async def current_user_optional(
     return await _authenticate_user(jwt_token, api_key, jwtauth)
 
 
+async def current_user_optional_if_public_mode(
+    jwt_token: Annotated[Optional[str], Depends(oauth2_scheme)],
+    api_key: Annotated[Optional[str], Depends(api_key_header)],
+    jwtauth: JWTAuth = Depends(),
+) -> Optional[UserInfo]:
+    user = await _authenticate_user(jwt_token, api_key, jwtauth)
+    if user is None and not settings.PUBLIC_MODE:
+        raise HTTPException(status_code=401, detail="Not authenticated")
+    return user
+
+
 def parse_ws_bearer_token(
     websocket: "WebSocket",
 ) -> tuple[Optional[str], Optional[str]]:

server/reflector/auth/auth_none.py

@@ -21,6 +21,11 @@ def current_user_optional():
     return None
 
 
+def current_user_optional_if_public_mode():
+    # auth_none means no authentication at all — always public
+    return None
+
+
 def parse_ws_bearer_token(websocket):
     return None, None
 

server/reflector/auth/auth_password.py

@@ -150,6 +150,16 @@ async def current_user_optional(
     return await _authenticate_user(jwt_token, api_key)
 
 
+async def current_user_optional_if_public_mode(
+    jwt_token: Annotated[Optional[str], Depends(oauth2_scheme)],
+    api_key: Annotated[Optional[str], Depends(api_key_header)],
+) -> Optional[UserInfo]:
+    user = await _authenticate_user(jwt_token, api_key)
+    if user is None and not settings.PUBLIC_MODE:
+        raise HTTPException(status_code=401, detail="Not authenticated")
+    return user
+
+
 # --- WebSocket auth (same pattern as auth_jwt.py) ---
 def parse_ws_bearer_token(
     websocket: "WebSocket",

server/reflector/db/transcripts.py

@@ -697,6 +697,18 @@ def user_can_mutate(transcript: Transcript, user_id: str | None) -> bool:
             return False
         return user_id and transcript.user_id == user_id
 
+    @staticmethod
+    def check_can_mutate(transcript: Transcript, user_id: str | None) -> None:
+        """
+        Raises HTTP 403 if the user cannot mutate the transcript.
+
+        Policy:
+        - Anonymous transcripts (user_id is None) are editable by anyone
+        - Owned transcripts can only be mutated by their owner
+        """
+        if transcript.user_id is not None and transcript.user_id != user_id:
+            raise HTTPException(status_code=403, detail="Not authorized")
+
     @asynccontextmanager
     async def transaction(self):
         """

server/reflector/views/meetings.py

@@ -16,7 +16,6 @@
 )
 from reflector.db.rooms import rooms_controller
 from reflector.logger import logger
-from reflector.settings import settings
 from reflector.utils.string import NonEmptyString
 from reflector.video_platforms.factory import create_platform_client
 
@@ -92,15 +91,15 @@ class StartRecordingRequest(BaseModel):
 async def start_recording(
     meeting_id: NonEmptyString,
     body: StartRecordingRequest,
-    user: Annotated[Optional[auth.UserInfo], Depends(auth.current_user_optional)],
+    user: Annotated[
+        Optional[auth.UserInfo], Depends(auth.current_user_optional_if_public_mode)
+    ],
 ) -> dict[str, Any]:
     """Start cloud or raw-tracks recording via Daily.co REST API.
 
     Both cloud and raw-tracks are started via REST API to bypass enable_recording limitation of allowing only 1 recording at a time.
     Uses different instanceIds for cloud vs raw-tracks (same won't work)
     """
-    if not user and not settings.PUBLIC_MODE:
-        raise HTTPException(status_code=401, detail="Not authenticated")
     meeting = await meetings_controller.get_by_id(meeting_id)
     if not meeting:
         raise HTTPException(status_code=404, detail="Meeting not found")

server/reflector/views/rooms.py

@@ -17,7 +17,6 @@
 from reflector.redis_cache import RedisAsyncLock
 from reflector.schemas.platform import Platform
 from reflector.services.ics_sync import ics_sync_service
-from reflector.settings import settings
 from reflector.utils.url import add_query_param
 from reflector.video_platforms.factory import create_platform_client
 from reflector.worker.webhook import test_webhook
@@ -178,11 +177,10 @@ class CalendarEventResponse(BaseModel):
 
 @router.get("/rooms", response_model=Page[RoomDetails])
 async def rooms_list(
-    user: Annotated[Optional[auth.UserInfo], Depends(auth.current_user_optional)],
+    user: Annotated[
+        Optional[auth.UserInfo], Depends(auth.current_user_optional_if_public_mode)
+    ],
 ) -> list[RoomDetails]:
-    if not user and not settings.PUBLIC_MODE:
-        raise HTTPException(status_code=401, detail="Not authenticated")
-
     user_id = user["sub"] if user else None
 
     paginated = await apaginate(

server/reflector/views/transcripts.py

@@ -263,16 +263,15 @@ class SearchResponse(BaseModel):
 
 @router.get("/transcripts", response_model=Page[GetTranscriptMinimal])
 async def transcripts_list(
-    user: Annotated[Optional[auth.UserInfo], Depends(auth.current_user_optional)],
+    user: Annotated[
+        Optional[auth.UserInfo], Depends(auth.current_user_optional_if_public_mode)
+    ],
     source_kind: SourceKind | None = None,
     room_id: str | None = None,
     search_term: str | None = None,
     change_seq_from: int | None = None,
     sort_by: Literal["created_at", "change_seq"] | None = None,
 ):
-    if not user and not settings.PUBLIC_MODE:
-        raise HTTPException(status_code=401, detail="Not authenticated")
-
     user_id = user["sub"] if user else None
 
     # Default behavior preserved: sort_by=None → "-created_at"
@@ -307,13 +306,10 @@ async def transcripts_search(
     from_datetime: SearchFromDatetimeParam = None,
     to_datetime: SearchToDatetimeParam = None,
     user: Annotated[
-        Optional[auth.UserInfo], Depends(auth.current_user_optional)
+        Optional[auth.UserInfo], Depends(auth.current_user_optional_if_public_mode)
     ] = None,
 ):
     """Full-text search across transcript titles and content."""
-    if not user and not settings.PUBLIC_MODE:
-        raise HTTPException(status_code=401, detail="Not authenticated")
-
     user_id = user["sub"] if user else None
 
     if from_datetime and to_datetime and from_datetime > to_datetime:
@@ -346,11 +342,10 @@ async def transcripts_search(
 @router.post("/transcripts", response_model=GetTranscriptWithParticipants)
 async def transcripts_create(
     info: CreateTranscript,
-    user: Annotated[Optional[auth.UserInfo], Depends(auth.current_user_optional)],
+    user: Annotated[
+        Optional[auth.UserInfo], Depends(auth.current_user_optional_if_public_mode)
+    ],
 ):
-    if not user and not settings.PUBLIC_MODE:
-        raise HTTPException(status_code=401, detail="Not authenticated")
-
     user_id = user["sub"] if user else None
     transcript = await transcripts_controller.add(
         info.name,

server/reflector/views/transcripts_participants.py

@@ -62,8 +62,7 @@ async def transcript_add_participant(
     transcript = await transcripts_controller.get_by_id_for_http(
         transcript_id, user_id=user_id
     )
-    if transcript.user_id is not None and transcript.user_id != user_id:
-        raise HTTPException(status_code=403, detail="Not authorized")
+    transcripts_controller.check_can_mutate(transcript, user_id)
 
     # ensure the speaker is unique
     if participant.speaker is not None and transcript.participants is not None:
@@ -109,8 +108,7 @@ async def transcript_update_participant(
     transcript = await transcripts_controller.get_by_id_for_http(
         transcript_id, user_id=user_id
     )
-    if transcript.user_id is not None and transcript.user_id != user_id:
-        raise HTTPException(status_code=403, detail="Not authorized")
+    transcripts_controller.check_can_mutate(transcript, user_id)
 
     # ensure the speaker is unique
     for p in transcript.participants:
@@ -148,7 +146,6 @@ async def transcript_delete_participant(
     transcript = await transcripts_controller.get_by_id_for_http(
         transcript_id, user_id=user_id
     )
-    if transcript.user_id is not None and transcript.user_id != user_id:
-        raise HTTPException(status_code=403, detail="Not authorized")
+    transcripts_controller.check_can_mutate(transcript, user_id)
     await transcripts_controller.delete_participant(transcript, participant_id)
     return DeletionStatus(status="ok")

server/reflector/views/transcripts_process.py

@@ -15,7 +15,6 @@
     prepare_transcript_processing,
     validate_transcript_for_processing,
 )
-from reflector.settings import settings
 
 router = APIRouter()
 
@@ -27,11 +26,10 @@ class ProcessStatus(BaseModel):
 @router.post("/transcripts/{transcript_id}/process")
 async def transcript_process(
     transcript_id: str,
-    user: Annotated[Optional[auth.UserInfo], Depends(auth.current_user_optional)],
+    user: Annotated[
+        Optional[auth.UserInfo], Depends(auth.current_user_optional_if_public_mode)
+    ],
 ) -> ProcessStatus:
-    if not user and not settings.PUBLIC_MODE:
-        raise HTTPException(status_code=401, detail="Not authenticated")
-
     user_id = user["sub"] if user else None
     transcript = await transcripts_controller.get_by_id_for_http(
         transcript_id, user_id=user_id