Fix authentication event loop corruption by converting get_current_user to async

The get_current_user() function was using asyncio.run() within FastAPI's async context,
which creates a new event loop and causes "Event loop is closed" errors. This led to
intermittent authentication failures where requests would alternate between success (200)
and failure (500).

Changes:
- Convert get_current_user() from sync to async function
- Replace asyncio.run(verify_token()) with await verify_token()
- Update require_scope() and require_role() dependency functions to be async
- Fix all related test cases to use await when calling these functions

This resolves the issue where tool calls to the memory server would intermittently fail
with 500 errors during token verification.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: abrookins

agent_memory_server/auth.py

@@ -346,7 +346,7 @@ async def verify_token(token: str) -> UserInfo:
         ) from e
 
 
-def get_current_user(
+async def get_current_user(
     credentials: HTTPAuthorizationCredentials | None = Depends(oauth2_scheme),
 ) -> UserInfo:
     if settings.disable_auth or settings.auth_mode == "disabled":
@@ -371,17 +371,15 @@ def get_current_user(
 
     # Determine authentication mode
     if settings.auth_mode == "token" or settings.token_auth_enabled:
-        import asyncio
-
-        return asyncio.run(verify_token(credentials.credentials))
+        return await verify_token(credentials.credentials)
     if settings.auth_mode == "oauth2":
         return verify_jwt(credentials.credentials)
     # Default to OAuth2 for backward compatibility
     return verify_jwt(credentials.credentials)
 
 
 def require_scope(required_scope: str):
-    def scope_dependency(user: UserInfo = Depends(get_current_user)) -> UserInfo:
+    async def scope_dependency(user: UserInfo = Depends(get_current_user)) -> UserInfo:
         if settings.disable_auth:
             return user
 
@@ -397,7 +395,7 @@ def scope_dependency(user: UserInfo = Depends(get_current_user)) -> UserInfo:
 
 
 def require_role(required_role: str):
-    def role_dependency(user: UserInfo = Depends(get_current_user)) -> UserInfo:
+    async def role_dependency(user: UserInfo = Depends(get_current_user)) -> UserInfo:
         if settings.disable_auth:
             return user
 

tests/test_auth.py

@@ -685,7 +685,7 @@ async def test_get_current_user_disabled_auth(self, mock_settings):
         """Test get_current_user when authentication is disabled"""
         mock_settings.disable_auth = True
 
-        result = get_current_user(None)
+        result = await get_current_user(None)
 
         assert isinstance(result, UserInfo)
         assert result.sub == "local-dev-user"
@@ -700,7 +700,7 @@ async def test_get_current_user_missing_credentials(self, mock_settings):
         mock_settings.auth_mode = "oauth2"
 
         with pytest.raises(HTTPException) as exc_info:
-            get_current_user(None)
+            await get_current_user(None)
 
         assert exc_info.value.status_code == status.HTTP_401_UNAUTHORIZED
         assert "Missing authorization header" in str(exc_info.value.detail)
@@ -717,7 +717,7 @@ async def test_get_current_user_empty_credentials(self, mock_settings):
         empty_creds = HTTPAuthorizationCredentials(scheme="Bearer", credentials="")
 
         with pytest.raises(HTTPException) as exc_info:
-            get_current_user(empty_creds)
+            await get_current_user(empty_creds)
 
         assert exc_info.value.status_code == status.HTTP_401_UNAUTHORIZED
         assert "Missing bearer token" in str(exc_info.value.detail)
@@ -736,7 +736,7 @@ async def test_get_current_user_valid_token(self, mock_settings, valid_token):
             expected_user = UserInfo(sub="test-user", email="[email protected]")
             mock_verify.return_value = expected_user
 
-            result = get_current_user(creds)
+            result = await get_current_user(creds)
 
             assert result == expected_user
             mock_verify.assert_called_once_with(valid_token)
@@ -753,7 +753,7 @@ async def test_require_scope_success(self, mock_settings):
         user = UserInfo(sub="test-user", scope="read write admin")
         scope_dependency = require_scope("read")
 
-        result = scope_dependency(user)
+        result = await scope_dependency(user)
         assert result == user
 
     @pytest.mark.asyncio
@@ -765,7 +765,7 @@ async def test_require_scope_failure(self, mock_settings):
         scope_dependency = require_scope("admin")
 
         with pytest.raises(HTTPException) as exc_info:
-            scope_dependency(user)
+            await scope_dependency(user)
 
         assert exc_info.value.status_code == status.HTTP_403_FORBIDDEN
         assert "Insufficient permissions" in str(exc_info.value.detail)
@@ -780,7 +780,7 @@ async def test_require_scope_no_scope(self, mock_settings):
         scope_dependency = require_scope("read")
 
         with pytest.raises(HTTPException) as exc_info:
-            scope_dependency(user)
+            await scope_dependency(user)
 
         assert exc_info.value.status_code == status.HTTP_403_FORBIDDEN
 
@@ -792,7 +792,7 @@ async def test_require_scope_disabled_auth(self, mock_settings):
         user = UserInfo(sub="test-user", scope=None)
         scope_dependency = require_scope("admin")
 
-        result = scope_dependency(user)
+        result = await scope_dependency(user)
         assert result == user
 
     @pytest.mark.asyncio
@@ -803,7 +803,7 @@ async def test_require_role_success(self, mock_settings):
         user = UserInfo(sub="test-user", roles=["user", "admin"])
         role_dependency = require_role("admin")
 
-        result = role_dependency(user)
+        result = await role_dependency(user)
         assert result == user
 
     @pytest.mark.asyncio
@@ -815,7 +815,7 @@ async def test_require_role_failure(self, mock_settings):
         role_dependency = require_role("admin")
 
         with pytest.raises(HTTPException) as exc_info:
-            role_dependency(user)
+            await role_dependency(user)
 
         assert exc_info.value.status_code == status.HTTP_403_FORBIDDEN
         assert "Insufficient permissions" in str(exc_info.value.detail)
@@ -830,7 +830,7 @@ async def test_require_role_no_roles(self, mock_settings):
         role_dependency = require_role("admin")
 
         with pytest.raises(HTTPException) as exc_info:
-            role_dependency(user)
+            await role_dependency(user)
 
         assert exc_info.value.status_code == status.HTTP_403_FORBIDDEN
 
@@ -842,7 +842,7 @@ async def test_require_role_disabled_auth(self, mock_settings):
         user = UserInfo(sub="test-user", roles=None)
         role_dependency = require_role("admin")
 
-        result = role_dependency(user)
+        result = await role_dependency(user)
         assert result == user
 
 

tests/test_token_auth.py

@@ -189,59 +189,62 @@ async def test_verify_token_wrong_token(self, mock_redis, sample_token_info):
 class TestGetCurrentUser:
     """Test get_current_user with token authentication."""
 
-    def test_get_current_user_disabled_auth(self, mock_settings):
+    @pytest.mark.asyncio
+    async def test_get_current_user_disabled_auth(self, mock_settings):
         """Test get_current_user with disabled authentication."""
         mock_settings.disable_auth = True
         mock_settings.auth_mode = "disabled"
 
-        user_info = get_current_user(None)
+        user_info = await get_current_user(None)
 
         assert user_info.sub == "local-dev-user"
         assert user_info.aud == "local-dev"
 
-    def test_get_current_user_missing_credentials(self, mock_settings):
+    @pytest.mark.asyncio
+    async def test_get_current_user_missing_credentials(self, mock_settings):
         """Test get_current_user with missing credentials."""
         mock_settings.disable_auth = False
         mock_settings.auth_mode = "token"
 
         with pytest.raises(HTTPException) as exc_info:
-            get_current_user(None)
+            await get_current_user(None)
 
         assert exc_info.value.status_code == status.HTTP_401_UNAUTHORIZED
         assert "Missing authorization header" in exc_info.value.detail
 
-    def test_get_current_user_missing_token(self, mock_settings):
+    @pytest.mark.asyncio
+    async def test_get_current_user_missing_token(self, mock_settings):
         """Test get_current_user with missing token."""
         mock_settings.disable_auth = False
         mock_settings.auth_mode = "token"
 
         credentials = HTTPAuthorizationCredentials(scheme="Bearer", credentials="")
 
         with pytest.raises(HTTPException) as exc_info:
-            get_current_user(credentials)
+            await get_current_user(credentials)
 
         assert exc_info.value.status_code == status.HTTP_401_UNAUTHORIZED
         assert "Missing bearer token" in exc_info.value.detail
 
     @patch("agent_memory_server.auth.verify_token")
-    def test_get_current_user_token_auth(self, mock_verify_token, mock_settings):
+    @pytest.mark.asyncio
+    async def test_get_current_user_token_auth(self, mock_verify_token, mock_settings):
         """Test get_current_user with token authentication."""
         mock_settings.disable_auth = False
         mock_settings.auth_mode = "token"
 
         # Mock verify_token to return a user
         mock_user = Mock()
         mock_user.sub = "token-user"
+        mock_verify_token.return_value = mock_user
 
-        # Mock asyncio.run to return the user directly
-        with patch("asyncio.run", return_value=mock_user):
-            credentials = HTTPAuthorizationCredentials(
-                scheme="Bearer", credentials="test_token"
-            )
+        credentials = HTTPAuthorizationCredentials(
+            scheme="Bearer", credentials="test_token"
+        )
 
-            user_info = get_current_user(credentials)
+        user_info = await get_current_user(credentials)
 
-            assert user_info.sub == "token-user"
+        assert user_info.sub == "token-user"
 
 
 class TestAuthConfig: