fix: use BYPASSRLS session for all auth deps and user-mutation endpoints

Phase 4 enabled RLS on the users table. All code paths that touch users (or other RLS-protected tables) before require_tenant_context sets app.current_account_id must use get_admin_db (BYPASSRLS): - deps.py: get_current_user and get_current_active_user → get_admin_db - auth.py: all endpoints → get_admin_db (login, register, refresh, etc. run before tenant context exists; mutation endpoints also need session consistency since current_user is in the admin session) - accounts.py: transfer_ownership, leave_account, delete_account → get_admin_db (these mutate current_user directly) - onboarding.py: dismiss_onboarding → get_admin_db (same reason) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-12 03:25:18 +00:00
parent 501442e5f0
commit 3ff886363c
4 changed files with 32 additions and 22 deletions
--- a/backend/app/api/endpoints/auth.py
+++ b/backend/app/api/endpoints/auth.py
@@ -8,7 +8,7 @@ from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select, update as sa_update
 from app.core.config import settings
 from app.core.settings_manager import SettingsManager
-from app.core.database import get_db
+from app.core.admin_database import get_admin_db
 from app.core.rate_limit import limiter
 from app.core.security import (
    verify_password,
@@ -67,7 +67,7 @@ def _generate_display_code() -> str:
 async def register(
    request: Request,
    user_data: UserCreate,
-    db: Annotated[AsyncSession, Depends(get_db)]
+    db: Annotated[AsyncSession, Depends(get_admin_db)]
 ):
    """Register a new user.

@@ -232,7 +232,7 @@ async def register(
 async def login(
    request: Request,
    form_data: Annotated[OAuth2PasswordRequestForm, Depends()],
-    db: Annotated[AsyncSession, Depends(get_db)]
+    db: Annotated[AsyncSession, Depends(get_admin_db)]
 ):
    """Login and get access token."""
    # Find user by email
@@ -270,7 +270,7 @@ async def login(
 async def login_json(
    request: Request,
    credentials: UserLogin,
-    db: Annotated[AsyncSession, Depends(get_db)]
+    db: Annotated[AsyncSession, Depends(get_admin_db)]
 ):
    """Login with JSON body (alternative to form data)."""
    result = await db.execute(select(User).where(User.email == credentials.email))
@@ -304,7 +304,7 @@ async def login_json(
 async def refresh_token(
    request: Request,
    payload: Annotated[dict, Depends(get_refresh_token_payload)],
-    db: Annotated[AsyncSession, Depends(get_db)]
+    db: Annotated[AsyncSession, Depends(get_admin_db)]
 ):
    """Refresh access token using refresh token (rotation: old token is revoked)."""
    user_id = payload.get("sub")
@@ -368,7 +368,7 @@ async def get_me(
 async def update_me(
    data: UserUpdate,
    current_user: Annotated[User, Depends(get_current_active_user)],
-    db: Annotated[AsyncSession, Depends(get_db)]
+    db: Annotated[AsyncSession, Depends(get_admin_db)]
 ):
    """Update current user's profile (name, email)."""
    update_fields = data.model_fields_set - {"current_password"}
@@ -415,7 +415,7 @@ async def update_me(
@router.post("/logout")
 async def logout(
    payload: Annotated[dict, Depends(get_refresh_token_payload)],
-    db: Annotated[AsyncSession, Depends(get_db)]
+    db: Annotated[AsyncSession, Depends(get_admin_db)]
 ):
    """Logout user by revoking the refresh token."""
    jti = payload.get("jti")
@@ -438,7 +438,7 @@ async def change_password(
    request: Request,
    data: ChangePasswordRequest,
    current_user: Annotated[User, Depends(get_current_active_user)],
-    db: Annotated[AsyncSession, Depends(get_db)]
+    db: Annotated[AsyncSession, Depends(get_admin_db)]
 ):
    """Change the current user's password."""
    if not verify_password(data.current_password, current_user.password_hash):
@@ -478,7 +478,7 @@ async def change_password(
 async def forgot_password(
    request: Request,
    data: ForgotPasswordRequest,
-    db: Annotated[AsyncSession, Depends(get_db)]
+    db: Annotated[AsyncSession, Depends(get_admin_db)]
 ):
    """Request a password reset email. Always returns success (anti-enumeration)."""
    result = await db.execute(select(User).where(User.email == data.email))
@@ -513,7 +513,7 @@ async def forgot_password(
@router.post("/password/verify-reset-token", response_model=VerifyResetTokenResponse)
 async def verify_reset_token(
    data: VerifyResetTokenRequest,
-    db: Annotated[AsyncSession, Depends(get_db)]
+    db: Annotated[AsyncSession, Depends(get_admin_db)]
 ):
    """Verify a password reset token is valid."""
    payload = decode_token(data.token)
@@ -544,7 +544,7 @@ async def verify_reset_token(
 async def reset_password(
    request: Request,
    data: ResetPasswordRequest,
-    db: Annotated[AsyncSession, Depends(get_db)]
+    db: Annotated[AsyncSession, Depends(get_admin_db)]
 ):
    """Reset password using a valid reset token."""
    payload = decode_token(data.token)
@@ -611,7 +611,7 @@ async def reset_password(

@router.get("/email/verification-status")
 async def get_verification_status(
-    db: Annotated[AsyncSession, Depends(get_db)]
+    db: Annotated[AsyncSession, Depends(get_admin_db)]
 ):
    """Check if email verification is enabled on the platform."""
    enabled = await SettingsManager.get("email_verification_enabled", db, default=True)
@@ -623,7 +623,7 @@ async def get_verification_status(
 async def send_verification_email(
    request: Request,
    current_user: Annotated[User, Depends(get_current_active_user)],
-    db: Annotated[AsyncSession, Depends(get_db)]
+    db: Annotated[AsyncSession, Depends(get_admin_db)]
 ):
    """Send an email verification link to the current user."""
    verification_enabled = await SettingsManager.get("email_verification_enabled", db, default=True)
@@ -662,7 +662,7 @@ async def send_verification_email(
@router.post("/email/verify")
 async def verify_email(
    data: dict,
-    db: Annotated[AsyncSession, Depends(get_db)]
+    db: Annotated[AsyncSession, Depends(get_admin_db)]
 ):
    """Verify an email using a token. Public endpoint."""
    token = data.get("token")