Merge pull request #63 from nihar1024/main

fix: update auth checks for stats endpoints

Author: nihar1024

src/deps/auth.py

@@ -73,13 +73,7 @@ def is_superuser(user_token: dict = Depends(user_token), throw_error: bool = Tru
 def clean_path(path: str) -> str:
     return path.replace(settings.API_V2_STR + "/", "")
 
-
-async def auth_z(
-    request: Request,
-    user_token: dict = Depends(user_token),
-    async_session: AsyncSession = Depends(get_db),
-) -> bool:
-
+async def _validate_authorization(request: Request, user_token: dict, async_session: AsyncSession):
     if settings.AUTH is not False:
         try:
             user_id = user_token["sub"]
@@ -107,3 +101,36 @@ async def auth_z(
             raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail=str(e))
 
     return True
+
+async def auth_z(
+    request: Request,
+    user_token: dict = Depends(user_token),
+    async_session: AsyncSession = Depends(get_db),
+) -> bool:
+    """
+    Authorization function to check if the user has access to the requested resource.
+    """
+    try:
+        await _validate_authorization(request, user_token, async_session)
+    except Exception as e:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail=str(e))
+
+    return True
+
+async def auth_z_lite(request: Request, async_session: AsyncSession):
+    """
+    Authorization function to check if the user has access to the requested resource (without FastAPI dependencies).
+    """
+
+    try:
+        token = request.headers.get("Authorization")
+        if token:
+            token = token.split(" ")[1]
+        else:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED, detail="Missing authorization token"
+            )
+        user_token = decode_token(token)
+        return await _validate_authorization(request, user_token, async_session)
+    except Exception as e:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail=str(e))

src/endpoints/v2/project.py

@@ -1,7 +1,7 @@
-from typing import List
+from typing import List, Annotated
 from uuid import UUID
 
-from fastapi import APIRouter, Body, Depends, HTTPException, Path, Query, status
+from fastapi import APIRouter, Body, Depends, HTTPException, Path, Query, status, Request
 from fastapi.responses import JSONResponse
 from fastapi_pagination import Page
 from fastapi_pagination import Params as PaginationParams
@@ -18,7 +18,7 @@
 from src.db.models.scenario import Scenario
 from src.db.models.scenario_feature import ScenarioFeature
 from src.db.session import AsyncSession
-from src.deps.auth import auth_z
+from src.deps.auth import auth_z, auth_z_lite
 from src.endpoints.deps import get_db, get_scenario, get_user_id
 from src.schemas.common import OrderEnum
 from src.schemas.error import HTTPErrorHandler
@@ -517,9 +517,9 @@ async def get_chart_data(
     summary="Get aggregated statistics for a column",
     response_model=dict,
     status_code=200,
-    dependencies=[Depends(auth_z)],
 )
 async def get_statistic_aggregation(
+    request: Request,
     async_session: AsyncSession = Depends(get_db),
     project_id: UUID4 = Path(
         ...,
@@ -567,6 +567,18 @@ async def get_statistic_aggregation(
 ):
     """Get aggregated statistics for a numeric column based on the supplied group-by column and CQL-filter."""
 
+    # Check authorization status
+    try:
+        await auth_z_lite(request, async_session)
+    except HTTPException as e:
+        # Check publication status if unauthorized
+        public_project = await crud_project.get_public_project(
+            async_session=async_session,
+            project_id=str(project_id),
+        )
+        if not public_project:
+            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Unauthorized")
+
     # Ensure an operation or expression is specified
     if operation is None and expression is None:
         raise HTTPException(
@@ -618,9 +630,9 @@ async def get_statistic_aggregation(
     summary="Get histogram statistics for a column",
     response_model=dict,
     status_code=200,
-    dependencies=[Depends(auth_z)],
 )
 async def get_statistic_histogram(
+    request: Request,
     async_session: AsyncSession = Depends(get_db),
     project_id: UUID4 = Path(
         ...,
@@ -655,6 +667,18 @@ async def get_statistic_histogram(
 ):
     """Get histogram statistics for a numeric column based on the specified number of bins and CQL-filter."""
 
+    # Check authorization status
+    try:
+        await auth_z_lite(request, async_session)
+    except HTTPException as e:
+        # Check publication status if unauthorized
+        public_project = await crud_project.get_public_project(
+            async_session=async_session,
+            project_id=str(project_id),
+        )
+        if not public_project:
+            raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Unauthorized")
+
     # Ensure the number of bins is not excessively large
     if num_bins > 100:
         raise HTTPException(