From 3b20e799e2589a51a8a5ff5fac4cb18ee1c2cb71 Mon Sep 17 00:00:00 2001 From: Adam Grenier Date: Thu, 26 Feb 2026 11:51:45 -0800 Subject: [PATCH] fix: accept Authorization: Bearer in agent_auth_context_optional MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The optional variant of get_agent_auth_context had accept_authorization=False, which prevented agents using Authorization: Bearer from passing through the ACTOR_DEP / BOARD_READ_DEP / TASK_DEP dependency chain. This caused 401 on any agent route that resolves a board or task via the shared ACTOR_DEP (e.g. PATCH /agent/boards/{id}/tasks/{id} and POST /agent/boards/{id}/tasks/{id}/comments), even though the same token worked fine on routes that use AGENT_CTX_DEP directly (accept_authorization=True). Fix: set accept_authorization=True in get_agent_auth_context_optional so both X-Agent-Token and Authorization: Bearer are accepted consistently. Verified: PATCH and POST /comments now resolve board/task correctly when Authorization: Bearer is used. No security regression — agent_token_hash comparison rejects any non-agent bearer tokens. --- backend/app/core/agent_auth.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/backend/app/core/agent_auth.py b/backend/app/core/agent_auth.py index 1bd2b7eb..a5f322dc 100644 --- a/backend/app/core/agent_auth.py +++ b/backend/app/core/agent_auth.py @@ -143,11 +143,19 @@ async def get_agent_auth_context_optional( authorization: str | None = Header(default=None, alias="Authorization"), session: AsyncSession = SESSION_DEP, ) -> AgentAuthContext | None: - """Optionally resolve agent auth context from `X-Agent-Token` only.""" + """Optionally resolve agent auth context from `X-Agent-Token` or `Authorization: Bearer`. + + Both `X-Agent-Token` and `Authorization: Bearer ` are accepted so that + routes depending on this function (e.g. board/task dependency resolvers) behave + consistently with `get_agent_auth_context`, which also accepts both headers. + Previously, `accept_authorization=False` caused 401 on any route that resolved + a board or task via the shared `ACTOR_DEP` chain (e.g. PATCH /tasks/{id}, + POST /tasks/{id}/comments) when the caller used `Authorization: Bearer`. + """ resolved = _resolve_agent_token( agent_token, authorization, - accept_authorization=False, + accept_authorization=True, ) if not resolved: if agent_token: