Skip to content

refactor(auth): remove redundant authentication checks #270

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 5, 2025
Merged

refactor(auth): remove redundant authentication checks #270

merged 1 commit into from
Sep 5, 2025

Conversation

shobhan-sundar-goutam
Copy link
Contributor

@shobhan-sundar-goutam shobhan-sundar-goutam commented Sep 2, 2025
edited by Achintya-Chatterjee
Loading

Date: 03/08/2025

Developer Name: Shobhan Sundar Goutam (@shobhan-sundar-goutam)

Issue Ticket Number

Description

This PR removes redundant authentication checks (e.g., if not user: raise AuthenticationFailed(...)). Authentication is now solely handled by the JWT middleware, which correctly returns 401 errors for unauthenticated requests.

Summary

Documentation Updated?

  • Yes
  • No

Under Feature Flag

  • Yes
  • No

Database Changes

  • Yes
  • No

Breaking Changes

  • Yes
  • No

Development Tested?

  • Yes
  • No

Screenshots

Screenshot 1
  • With token:
Screenshot 2025-09-03 at 1 58 56 AM
  • Without token:
Screenshot 2025-09-03 at 2 00 09 AM

Test Coverage

Screenshot 1 Screenshot 2025-09-03 at 2 02 41 AM

Additional Notes

Description by Korbit AI

What change is being made?

Remove redundant authentication checks and simplify user role assignments by replacing RoleName constants with direct string values for role names.

Why are these changes being made?

The redundant authentication checks within the task.py and task_assignment.py views were removed to streamline request processing, as request.user_id is already set by the middleware. Additionally, simplifying role assignment by using string values instead of constants reduces complexity and increases code readability. These adjustments help in reducing unnecessary code logic while maintaining functionality.

Is this description stale? Ask me to generate a new description by commenting /korbit-generate-pr-description

@shobhan-sundar-goutam shobhan-sundar-goutam self-assigned this Sep 2, 2025
@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Sep 2, 2025
edited
Loading

Summary by CodeRabbit

  • Bug Fixes

    • Resolved intermittent authentication errors when listing, creating, updating, deferring, assigning, or deleting tasks and task assignments.
    • Improved accuracy and consistency of audit logs for SPOC-related actions.

  • Refactor

    • Streamlined user context handling across task and assignment endpoints for greater reliability and consistency.
    • Reduced latency in common task operations through simplified request processing.

Walkthrough

Replaced user lookups via get_current_user_info and AuthenticationFailed checks with direct use of request.user_id across task and task-assignment views. Updated all service/DTO calls to pass user_id=request.user_id. No public API signatures changed.

Changes

Cohort / File(s) Summary
Task Views
todo/views/task.py		 Removed get_current_user_info and AuthenticationFailed usage; rely on request.user_id for TaskListView, creation, deletion, defer, updates, and assignment paths; pass request.user_id to TaskService/DTOs.
Task Assignment Views
todo/views/task_assignment.py		 Removed auth retrieval and AuthenticationFailed; use request.user_id for create/update/delete assignment flows, SPOC checks, and audit fields; updated logs accordingly.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor Client
    participant JWT as JWT Middleware
    participant TLV as TaskListView
    participant TS as TaskService

    Client->>JWT: Request /v1/tasks
    JWT-->>Client: 401 if unauthenticated
    JWT->>TLV: Forward request with request.user_id
    TLV->>TS: listTasks(user_id=request.user_id)
    TS-->>TLV: Tasks
    TLV-->>Client: 200 OK (Tasks)

    rect rgba(200, 230, 255, 0.3)
    note over TLV: No get_current_user_info()<br/>No AuthenticationFailed in view
    end
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Assessment against linked issues

Objective Addressed Explanation
Remove redundant auth check in TaskListView.get and rely on middleware (#232)

Assessment against linked issues: Out-of-scope changes

Code Change Explanation
Replace user context with request.user_id across create/update/delete/defer task endpoints (todo/views/task.py) Issue #232 targets only removing redundant auth check in TaskListView.get; broader refactors in other methods are not specified.
Switch to request.user_id in AssignTaskToUserView.patch and related assignment flows (todo/views/task.py) Assignment flow changes are not part of the stated objective.
Replace user["user_id"] with request.user_id across task-assignment endpoints, including SPOC validation and audit fields (todo/views/task_assignment.py) Changes in task-assignment views are outside the scope of TaskListView.get auth check removal.

Possibly related PRs

Suggested reviewers

  • iamitprakash
  • Hariom01010

Poem

I hop through views with tidy cheer,
No extra checks, the path is clear.
JWT guards the garden gate,
request.user_id seals our fate.
Tasks align, assignments glide—
Fewer footprints, neater stride.
Thump-thump! Clean code, rabbit pride.

✨ Finishing Touches
  • 📝 Generate Docstrings
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch refactor/remove-redundant-auth-checks

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

  • Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

  • Visit our Status Page to check the current availability of CodeRabbit.
  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

korbit-ai[bot]
korbit-ai bot reviewed Sep 2, 2025
View reviewed changes
Copy link

@korbit-ai korbit-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've completed my review and didn't find any issues... but I did find this shark.

                (`.
                 \ `.
                  )  `._..---._
\`.       __...---`         o  )
 \ `._,--'           ,    ___,'
  ) ,-._          \  )   _,-'
 /,'    ``--.._____\/--''
Files scanned
File Path Reviewed
todo/views/task_assignment.py
todo/views/task.py

Explore our documentation to understand the languages and file types we support and the files we ignore.

Check out our docs on how you can make Korbit work best for you and your team.

Loving Korbit!? Share us on LinkedIn Reddit and X

coderabbitai[bot]
coderabbitai bot reviewed Sep 2, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)
todo/views/task_assignment.py (1)

241-253: Wrap spoc_id in PyObjectId
Replace the raw request.user_id with PyObjectId(request.user_id) to match AuditLogModel.spoc_id: PyObjectId | None. Ensure you add

from todo.models.common.pyobjectid import PyObjectId

and update:

-    spoc_id=request.user_id,
+    spoc_id=PyObjectId(request.user_id),
todo/views/task.py (3)

79-98: Duplicate profile branch causes dead/unreachable code.

The second if query.validated_data["profile"]: is redundant and never reached.

Apply this diff to remove duplication and keep the richer response formatting:

         if query.validated_data["profile"]:
             status_filter = query.validated_data.get("status", "").upper()
             response = TaskService.get_tasks_for_user(
                 user_id=request.user_id,
                 page=query.validated_data["page"],
                 limit=query.validated_data["limit"],
                 status_filter=status_filter,
             )
-            return Response(data=response.model_dump(mode="json"), status=status.HTTP_200_OK)
-
-        if query.validated_data["profile"]:
-            response = TaskService.get_tasks_for_user(
-                user_id=request.user_id,
-                page=query.validated_data["page"],
-                limit=query.validated_data["limit"],
-            )
-            return Response(
-                data=response.model_dump(mode="json", exclude_none=True),
-                status=status.HTTP_200_OK,
-            )
+            return Response(
+                data=response.model_dump(mode="json", exclude_none=True),
+                status=status.HTTP_200_OK,
+            )

100-111: Normalize status in non-profile path for parity.

You uppercased status only in the profile path; apply same normalization here to avoid case-sensitive mismatches.

Apply:

-        status_filter = query.validated_data.get("status")
+        status_filter = (query.validated_data.get("status") or "").upper() or None

141-146: Map Pydantic validation errors to 400 instead of 500 when createdBy is invalid.

CreateTaskDTO will raise Pydantic ValidationError (e.g., invalid ObjectId). Current code turns that into a 500.

Apply this diff and import alias:

@@
-        try:
-            dto = CreateTaskDTO(**serializer.validated_data, createdBy=request.user_id)
+        try:
+            dto = CreateTaskDTO(**serializer.validated_data, createdBy=request.user_id)
             response: CreateTaskResponse = TaskService.create_task(dto)
@@
-        except ValueError as e:
+        except PydanticValidationError as e:
+            error_response = ApiErrorResponse(
+                statusCode=400,
+                message=ApiErrors.VALIDATION_ERROR,
+                errors=[{"detail": str(e)}],
+            )
+            return Response(
+                data=error_response.model_dump(mode="json"),
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+        except ValueError as e:
             if isinstance(e.args[0], ApiErrorResponse):
                 error_response = e.args[0]
                 return Response(
                     data=error_response.model_dump(mode="json"),
                     status=error_response.statusCode,
                 )

Add near imports:

+from pydantic import ValidationError as PydanticValidationError
📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

💡 Knowledge Base configuration:

  • MCP integration is disabled by default for public repositories
  • Jira integration is disabled by default for public repositories
  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e72fb99 and 8c34fe6.

📒 Files selected for processing (2)
  • todo/views/task.py (9 hunks)
  • todo/views/task_assignment.py (5 hunks)
🧰 Additional context used
🧠 Learnings (3)
📓 Common learnings 
Learnt from: Achintya-Chatterjee
PR: Real-Dev-Squad/todo-backend#52
File: todo/views/task.py:106-106
Timestamp: 2025-05-29T21:36:27.694Z
Learning: Issue #26 in the Real-Dev-Squad/todo-backend repository comprehensively tracks user authentication implementation including registration, login, JWT tokens, and making task APIs require authentication. This covers replacing hardcoded user ID placeholders like "system_patch_user" with actual user ID extraction from authenticated requests.

Learnt from: Achintya-Chatterjee
PR: Real-Dev-Squad/todo-backend#52
File: todo/views/task.py:106-106
Timestamp: 2025-05-29T21:36:27.694Z
Learning: Issue #26 tracks the implementation of user authentication in the todo-backend project, which includes extracting user ID from request context to replace hardcoded placeholders like "system_patch_user" in todo/views/task.py.
📚 Learning: 2025-05-29T21:36:27.694Z 
Learnt from: Achintya-Chatterjee
PR: Real-Dev-Squad/todo-backend#52
File: todo/views/task.py:106-106
Timestamp: 2025-05-29T21:36:27.694Z
Learning: Issue #26 tracks the implementation of user authentication in the todo-backend project, which includes extracting user ID from request context to replace hardcoded placeholders like "system_patch_user" in todo/views/task.py.

Applied to files:

  • todo/views/task.py
  • todo/views/task_assignment.py
📚 Learning: 2025-05-29T21:36:27.694Z 
Learnt from: Achintya-Chatterjee
PR: Real-Dev-Squad/todo-backend#52
File: todo/views/task.py:106-106
Timestamp: 2025-05-29T21:36:27.694Z
Learning: Issue #26 in the Real-Dev-Squad/todo-backend repository comprehensively tracks user authentication implementation including registration, login, JWT tokens, and making task APIs require authentication. This covers replacing hardcoded user ID placeholders like "system_patch_user" with actual user ID extraction from authenticated requests.

Applied to files:

  • todo/views/task.py
  • todo/views/task_assignment.py
🧬 Code graph analysis (2)
todo/views/task.py (4)
todo/services/task_service.py (2)
  • get_tasks_for_user (687-700)
  • delete_task (680-684)
todo/repositories/task_repository.py (1)
  • get_tasks_for_user (353-361)
todo/dto/task_dto.py (1)
  • CreateTaskDTO (37-63)
todo/services/task_assignment_service.py (2)
  • TaskAssignmentService (18-152)
  • create_task_assignment (20-112)
todo/views/task_assignment.py (2)
todo/services/task_assignment_service.py (3)
  • TaskAssignmentService (18-152)
  • create_task_assignment (20-112)
  • delete_task_assignment (148-152)
todo/repositories/team_repository.py (2)
  • TeamRepository (11-123)
  • is_user_spoc (108-115)
🔇 Additional comments (5)
todo/views/task_assignment.py (4)

60-60: Confirm request.user_id is always present and a valid ObjectId string.

If middleware/permissions don’t run, this will raise AttributeError or fail downstream validations.

Would you like a small guard/mixin to enforce/annotate request.user_id on all auth’d views?

197-200: LGTM: SPOC check now uses request.user_id.

This correctly delegates auth to middleware and enforces SPOC authorization here.

217-218: Verify repository update semantics when switching team → user assignment.

Ensure update_assignment(task_id, executor_id, "user", request.user_id):

  • Sets assignee_id=executor_id,
  • Switches user_type to "user",
  • Preserves/updates updated_by and updated_at.

I can generate a quick repository-level check script if helpful.

289-289: LGTM: propagate request.user_id to delete.

Consistent with the service contract and auditability.

todo/views/task.py (1)

82-86: LGTM: request.user_id plumbed through all task operations.

Consistent with JWT middleware responsibility and service contracts.

Please confirm all these views run behind authentication/permission classes so request.user_id is guaranteed (e.g., global DEFAULT_PERMISSION_CLASSES or per-view IsAuthenticated).

Also applies to: 107-110, 285-286, 295-296, 339-340, 426-427

@prakashchoudhary07 prakashchoudhary07 merged commit 50931bd into develop Sep 5, 2025
4 checks passed
@prakashchoudhary07 prakashchoudhary07 deleted the refactor/remove-redundant-auth-checks branch September 5, 2025 05:20
@shobhan-sundar-goutam shobhan-sundar-goutam mentioned this pull request Sep 5, 2025
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@prakashchoudhary07 prakashchoudhary07 prakashchoudhary07 approved these changes

@Achintya-Chatterjee Achintya-Chatterjee Achintya-Chatterjee approved these changes

@Hariom01010 Hariom01010 Hariom01010 approved these changes

+1 more reviewer

@korbit-ai korbit-ai[bot] korbit-ai[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@shobhan-sundar-goutam shobhan-sundar-goutam

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

chore: Remove redundant authentication check in TaskListView

4 participants

@shobhan-sundar-goutam @prakashchoudhary07 @Achintya-Chatterjee @Hariom01010