Fix OIDC token instrospection redis_instance args

Author: davinotdavid

backend/src/appointment/dependencies/auth.py

@@ -5,6 +5,7 @@
 
 import sentry_sdk
 from fastapi import Depends, Body, Request, HTTPException
+from fastapi.params import Depends as DependsClass
 from fastapi.security import OAuth2PasswordBearer
 import jwt
 
@@ -127,6 +128,12 @@ def get_subscriber(
     if token is None:
         raise InvalidTokenException()
 
+    # When this method is called directly (not through FastAPI DI), redis_instance will be
+    # the Depends object itself rather than the resolved value, so assigning it to None will
+    # make it call the OIDC introspect endpoint in that case (no caching)
+    if isinstance(redis_instance, DependsClass):
+        redis_instance = None
+
     if AuthScheme.is_oidc():
         user = get_user_from_oidc_token_introspection(db, token, redis_instance)
     else:
@@ -149,20 +156,22 @@ def get_subscriber(
 async def get_subscriber_from_onetime_token(
     request: Request,
     db: Session = Depends(get_db),
+    redis_instance=Depends(get_redis),
 ):
     """Retrieve the subscriber via a one-time token only!"""
     token: str = await oauth2_scheme(request)
-    return get_subscriber(request, token, db, require_jti=True)
+    return get_subscriber(request, token, db, redis_instance, require_jti=True)
 
 
 async def get_subscriber_or_none(
     request: Request,
     db: Session = Depends(get_db),
+    redis_instance=Depends(get_redis),
 ):
     """Retrieve the subscriber or return None. This does not automatically error out like the other deps"""
     try:
         token: str = await oauth2_scheme(request)
-        subscriber = get_subscriber(request, token, db)
+        subscriber = get_subscriber(request, token, db, redis_instance)
     except InvalidTokenException:
         return None
     except HTTPException:

backend/test/unit/test_auth_dependency.py

@@ -6,6 +6,7 @@
 import pytest
 from freezegun import freeze_time
 from unittest import mock
+from fastapi.params import Depends as DependsClass
 
 
 from appointment.controller.auth import signed_url_by_subscriber
@@ -167,6 +168,44 @@ def test_get_subscriber_with_invalid_token(self, with_db, with_l10n, make_pro_su
                 # Use a nonsense value, like the subscriber id!
                 get_subscriber(request, subscriber.id, db)
 
+    def test_get_subscriber_handles_depends_object_for_redis(
+        self, with_db, with_l10n, make_pro_subscriber, make_external_connections, monkeypatch
+    ):
+        """Test that get_subscriber gracefully handles when redis_instance is a Depends object."""
+
+        saved_scheme = os.environ.get('AUTH_SCHEME', 'password')
+        os.environ['AUTH_SCHEME'] = 'oidc'
+
+        try:
+            subscriber = make_pro_subscriber()
+            oidc_id = uuid.uuid4().hex
+            access_token = uuid.uuid4().hex
+
+            make_external_connections(
+                subscriber_id=subscriber.id, type_id=oidc_id, type=ExternalConnectionType.oidc
+            )
+
+            request = mock.MagicMock()
+
+            with patch('appointment.controller.apis.oidc_client.OIDCClient.introspect_token') as introspect_mock:
+                introspect_mock.return_value = {
+                    'sub': oidc_id,
+                    'username': subscriber.username,
+                    'email': subscriber.email,
+                }
+
+                with with_db() as db:
+                    # Pass a Depends object as redis_instance (simulating direct call without DI resolution)
+                    depends_obj = DependsClass(lambda: None)
+                    retrieved_subscriber = get_subscriber(request, access_token, db, depends_obj)
+
+                    # Should succeed by treating Depends as None and falling back to OIDC introspection
+                    assert retrieved_subscriber is not None
+                    assert retrieved_subscriber.id == subscriber.id
+                    introspect_mock.assert_called_once_with(access_token)
+        finally:
+            os.environ['AUTH_SCHEME'] = saved_scheme
+
     def test_get_admin_subscriber(self, with_db, with_l10n, make_pro_subscriber):
         subscriber = make_pro_subscriber()
         access_token = create_access_token(data={'sub': f'uid-{subscriber.id}'})