Add config.api_authenticate hook for custom API auth#42
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e1200c556f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| # The type of actor making the API call (for polymorphic associations). | ||
| def api_author_type | ||
| @api_token ? ApiToken::HOLDER_TYPE : "CoPlan::User" |
There was a problem hiding this comment.
When config.api_authenticate is enabled, api_author_type returns "CoPlan::User", but API writes this value into Comment.author_type and PlanVersion.actor_type (comments_controller and operations_controller). Those fields are validated against enum constants that only allow human/local_agent/cloud_persona/system (engine/app/models/coplan/comment.rb and engine/app/models/coplan/plan_version.rb), so hook-authenticated requests will fail to create comments (422) and can fail version commits with RecordInvalid (500), effectively breaking core API editing flows for the new auth mode.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Good catch! Fixed — api_author_type now returns "human" for hook auth instead of "CoPlan::User". This matches the valid enum values in Comment, PlanVersion, and EditSession.
HamptonMakes
force-pushed
the
hampton/api-authenticate-hook
branch
2 times, most recently
from
34baa4e to
8499fa0
Compare
Allows host apps to replace Bearer token authentication with their own auth mechanism (e.g., Trogdor mTLS at Square). The hook follows the same pattern as config.authenticate — receives a request, returns user attrs with :external_id, and auto-provisions users. When api_authenticate is set, the API controllers use it instead of Bearer tokens. When unset, Bearer token auth remains the default. Introduces api_actor_id and api_author_type helpers in BaseController so child controllers don't reference @api_token directly. Co-authored-by: Amp <amp@ampcode.com> Amp-Thread-ID: https://ampcode.com/threads/T-019cd872-3abe-7556-8927-9966fe044b6c
HamptonMakes
force-pushed
the
hampton/api-authenticate-hook
branch
from
8499fa0 to
ff2c348
Compare
1 participant
Problem
The API controllers only support Bearer token authentication. Host apps like coplan-square that have their own auth infrastructure (e.g., Trogdor mTLS) need a way to use it for API calls too — so agents can use
sq curlinstead of managing separate API tokens.Solution
Add
config.api_authenticate— a hook that follows the same pattern asconfig.authenticate:When set, API controllers use the hook and auto-provision users (same
find_or_initialize_bypattern as the web auth). When unset, Bearer token auth remains the default.Changes
Configuration: Addedapi_authenticateaccessorApi::V1::BaseController: Newauthenticate_api!dispatches to hook or token auth. Addedapi_actor_idandapi_author_typehelpers so child controllers don't reference@api_tokendirectly.@api_token.id/ApiToken::HOLDER_TYPEreferences with the new helpers.Test results
All 389 specs passing — existing Bearer token tests still pass (hook is nil by default).