fix(auth): allow unauthenticated access to health and version endpoints

The AuthenticationMiddleware was blocking all requests without an Authorization header, including health and version endpoints that are needed by monitoring tools, load balancers, and Kubernetes probes. This commit adds a `require_authentication` parameter to the @webmethod decorator (defaults to True). Endpoints can opt out of authentication by setting `require_authentication=False`. The /health and /version endpoints now use this parameter to allow unauthenticated access. Changes: - Add `require_authentication` field to WebMethod dataclass - Update @webmethod decorator to accept `require_authentication` parameter - Mark /health and /version endpoints with `require_authentication=False` - Update middleware to check webmethod.require_authentication dynamically Closes: #3735 Signed-off-by: Derek Higgins <derekh@redhat.com>
2025-12-16 17:02:36 +00:00 · 2025-10-08 17:52:19 +01:00 · 2025-10-08 17:52:19 +01:00 · c9dfd26385
commit c9dfd26385
parent 96886afaca
5 changed files with 116 additions and 36 deletions
--- a/.github/workflows/integration-auth-tests.yml
+++ b/.github/workflows/integration-auth-tests.yml
@ -92,7 +92,8 @@ jobs:
        run: |
          echo "Waiting for Llama Stack server..."
          for i in {1..30}; do
-            if curl -s -L -H "Authorization: Bearer $(cat llama-stack-auth-token)" http://localhost:8321/v1/health | grep -q "OK"; then
+            # Note: /v1/health does not require authentication
+            if curl -s -L http://localhost:8321/v1/health | grep -q "OK"; then
              echo "Llama Stack server is up!"
              if grep -q "Enabling authentication with provider: ${{ matrix.auth-provider }}" server.log; then
                echo "Llama Stack server is configured to use ${{ matrix.auth-provider }} auth"
@ -111,4 +112,27 @@ jobs:

      - name: Test auth
        run: |
-          curl -s -L -H "Authorization: Bearer $(cat llama-stack-auth-token)" http://127.0.0.1:8321/v1/providers|jq
+          echo "Testing /v1/version without token (should succeed)..."
+          if curl -s -L -o /dev/null -w "%{http_code}" http://127.0.0.1:8321/v1/version | grep -q "200"; then
+            echo "/v1/version accessible without token (200)"
+          else
+            echo "/v1/version returned non-200 status without token"
+            exit 1
+          fi
+
+          echo "Testing /v1/providers without token (should fail with 401)..."
+          if curl -s -L -o /dev/null -w "%{http_code}" http://127.0.0.1:8321/v1/providers | grep -q "401"; then
+            echo "/v1/providers blocked without token (401)"
+          else
+            echo "/v1/providers did not return 401 without token"
+            exit 1
+          fi
+
+          echo "Testing /v1/providers with valid token (should succeed)..."
+          curl -s -L -H "Authorization: Bearer $(cat llama-stack-auth-token)" http://127.0.0.1:8321/v1/providers | jq
+          if [ $? -eq 0 ]; then
+            echo "/v1/providers accessible with valid token"
+          else
+            echo "/v1/providers failed with valid token"
+            exit 1
+          fi