fix(auth): enforce web-session-only access on WebUser dependencies

WebUserRead/WebUserWrite/WebUserOrAnonymous now check is_web_session()
to reject API tokens (PATs, OATs). Previously these depended on
web_read/web_write reserved scopes for this gate, but with those
scopes removed, any token could access web-only endpoints (OAuth
consent, email change, PAT management, etc.).

Also removes web_read/web_write remnants from OrgPolicyGuard defaults
and AuthorizeMembersManage/AuthorizeOrgDelete scope requirements.

Test fixture updated to provide mock UserSession for User subjects
so is_web_session() returns True in tests.

Author: joebon

server/polar/auth/dependencies.py

@@ -20,6 +20,7 @@
     SubjectType,
     User,
     is_anonymous,
+    is_web_session,
 )
 
 oidc_scheme = OpenIdConnect(
@@ -216,16 +217,38 @@ async def __call__(
     )
 
 
-_WebUserOrAnonymous = Authenticator(
+_WebUserOrAnonymousAuth = Authenticator(
     allowed_subjects={Anonymous, User},
     required_scopes=None,
 )
+
+
+async def _web_user_or_anonymous(
+    auth_subject: Annotated[
+        AuthSubject[Anonymous | User], Depends(_WebUserOrAnonymousAuth)
+    ],
+) -> AuthSubject[Anonymous | User]:
+    """Allow anonymous or web-session users. Reject API tokens."""
+    if not is_anonymous(auth_subject) and not is_web_session(auth_subject):
+        raise Unauthorized()
+    return auth_subject
+
+
 WebUserOrAnonymous = Annotated[
-    AuthSubject[Anonymous | User], Depends(_WebUserOrAnonymous)
+    AuthSubject[Anonymous | User], Depends(_web_user_or_anonymous)
 ]
 
-_WebUserRead = Authenticator(allowed_subjects={User}, required_scopes=None)
-WebUserRead = Annotated[AuthSubject[User], Depends(_WebUserRead)]
+_WebUserAuth = Authenticator(allowed_subjects={User}, required_scopes=None)
+
+
+async def _web_user(
+    auth_subject: Annotated[AuthSubject[User], Depends(_WebUserAuth)],
+) -> AuthSubject[User]:
+    """Allow web-session users only. Reject API tokens."""
+    if not is_web_session(auth_subject):
+        raise Unauthorized()
+    return auth_subject
+
 
-_WebUserWrite = Authenticator(allowed_subjects={User}, required_scopes=None)
-WebUserWrite = Annotated[AuthSubject[User], Depends(_WebUserWrite)]
+WebUserRead = Annotated[AuthSubject[User], Depends(_web_user)]
+WebUserWrite = Annotated[AuthSubject[User], Depends(_web_user)]

server/polar/authz/dependencies.py

@@ -67,8 +67,6 @@ def OrgPolicyGuard(
 
     _allowed = allowed_subjects or {User, Organization}
     _scopes = required_scopes or {
-        Scope.web_read,
-        Scope.web_write,
         Scope.organizations_read,
         Scope.organizations_write,
     }
@@ -138,7 +136,7 @@ async def _always_allow(
         OrgPolicyGuard(
             members.can_manage,
             allowed_subjects={User},
-            required_scopes={Scope.web_write, Scope.organizations_write},
+            required_scopes={Scope.organizations_write},
         )
     ),
 ]
@@ -148,7 +146,7 @@ async def _always_allow(
         OrgPolicyGuard(
             org_policy.can_delete,
             allowed_subjects={User},
-            required_scopes={Scope.web_write, Scope.organizations_write},
+            required_scopes={Scope.organizations_write},
         )
     ),
 ]

server/tests/fixtures/auth.py

@@ -98,7 +98,19 @@ def auth_subject(
         )
         subjects_map["member_billing_manager"] = member_billing_manager
 
-    return AuthSubject(subjects_map[subject_key], auth_subject_fixture.scopes, None)
+    subject = subjects_map[subject_key]
+
+    # For User subjects, provide a mock UserSession so is_web_session() returns True.
+    # This matches real web session behavior where all User sessions are UserSessions.
+    session: Any = None
+    if isinstance(subject, User):
+        from unittest.mock import MagicMock
+
+        from polar.models import UserSession
+
+        session = MagicMock(spec=UserSession)
+
+    return AuthSubject(subject, auth_subject_fixture.scopes, session)
 
 
 def pytest_generate_tests(metafunc: pytest.Metafunc) -> None: