Restore JSON auth for test_instances#search (mesa_test API path)#91
Merged
Conversation
The JSON variants of #search and #search_count are the API path that mesa_test (and any other CLI client) hits to read past test instances. They authenticate per-request via email + password params inside the `authenticated?` helper — no browser session involved. Commit b8542bc (Sep 2025), which added a global authorize_user before_action to ApplicationController to reduce anonymous browse traffic, exempted login/sessions, GitHub webhooks, the submissions API, and computer auth — but missed this controller. Every external JSON caller has been getting silently 302'd to /login since then. The action-level email/password auth code went dead because the filter chain redirected before the action body ever ran. Skip the global filter for both JSON endpoints. Re-impose login for the HTML search page via a small `gate_html_search_to_authenticated_users` before_action so b8542bc's intent (gated browse) is preserved. The conditional `if: -> { request.format.json? }` form of skip_before_action would have been the natural shape here, but the lambda doesn't seem to be consulted consistently in Rails 8 — the explicit method-based gate works and is easy to read. New spec/requests/test_instances_search_auth_spec.rb pins the behaviour: HTML anonymous → 302 to /login; JSON without creds → 422 JSON error (not a redirect); JSON with valid email/password → 200 results; JSON with valid session → 200 results; search_count JSON behaves the same way.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What broke
Commit b8542bc (Sep 15, 2025) — "Restrict most pages to logged-in users to reduce traffic" — added a global
authorize_userbefore_action toApplicationControllerwith a curated list ofskip_before_actionexemptions. The list covered login/sessions, GitHub webhooks, the submissions API, and computer auth, but missedTestInstancesController#searchand#search_count, which had their own action-level email/password auth (added by 6112b7f back in 2019).The result: since September 2025, every JSON call to
/test_instances/search.jsonand/test_instances/search_count.jsonfrommesa_test(or any other CLI client) has been silently 302'd to/logininstead of authenticating with the supplied email/password and returning results. The action-levelauthenticated?helper became dead code.What this PR does
authorize_userfor both JSON endpoints onTestInstancesController. The action body still enforces auth via the existingauthenticated?helper (session-first, falling back toemail+passwordparams).gate_html_search_to_authenticated_usersbefore_action, so b8542bc's intent ("reduce anonymous browse traffic") is preserved for the browser path.skip_before_action :authorize_user, only: [:search], if: -> { request.format.json? }? Tried it — the lambda doesn't appear to be consulted consistently onskip_before_actionin Rails 8 (the HTML path bypassedauthorize_usereven withif: format.json?). The explicit method-based gate is easier to reason about anyway.Test plan
spec/requests/test_instances_search_auth_spec.rb— 8 examples pinning every cell of the auth matrix:/loginsearch_count.jsonsame shape (anonymous → 422 error; with creds → 200 count)Severity
External clients have been broken for ~8 months. This should merge ahead of #90 (the branch-filter + SHA-fix work, which sits cleanly on top of this fix).