Skip to content

Commit f41f8dc

Browse files
carrossonicarrossoni
committed
fix: remove SP token fallback from gateway_routes entirely
Delete _get_token() and replace all call sites with extract_bearer_token(), which requires a real user token (X-Forwarded-Access-Token or Authorization Bearer) and raises 401 immediately if absent. No SP/service token fallback anywhere in the request path. Co-authored-by: Isaac
1 parent 85f628b commit f41f8dc

File tree

1 file changed

+3
-16
lines changed

1 file changed

+3
-16
lines changed

backend/app/api/gateway_routes.py

Lines changed: 3 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -24,19 +24,6 @@
2424
settings = get_settings()
2525

2626

27-
def _get_token(req: Request) -> str:
28-
"""Extract bearer token from request headers."""
29-
token = req.headers.get("X-Forwarded-Access-Token")
30-
if not token:
31-
auth = req.headers.get("Authorization", "")
32-
if auth.startswith("Bearer "):
33-
token = auth[7:]
34-
if not token:
35-
token = get_effective_setting("lakebase_service_token") or settings.databricks_token
36-
if not token:
37-
raise HTTPException(status_code=401, detail="No authentication token available")
38-
return token
39-
4027

4128
async def _require_role(req: Request, min_role: str):
4229
"""Resolve caller's effective role and raise 403 if below min_role.
@@ -276,7 +263,7 @@ async def get_gateway_logs(gateway_id: str, limit: int = 50):
276263
async def list_genie_spaces(req: Request):
277264
"""List available Genie Spaces from the workspace."""
278265
try:
279-
token = _get_token(req)
266+
token = extract_bearer_token(req)
280267
host = _get_host()
281268

282269
url = f"{host}/api/2.0/genie/spaces"
@@ -300,7 +287,7 @@ async def list_genie_spaces(req: Request):
300287
async def list_warehouses(req: Request):
301288
"""List available SQL warehouses from the workspace."""
302289
try:
303-
token = _get_token(req)
290+
token = extract_bearer_token(req)
304291
host = _get_host()
305292

306293
url = f"{host}/api/2.0/sql/warehouses"
@@ -324,7 +311,7 @@ async def list_warehouses(req: Request):
324311
async def list_serving_endpoints(req: Request):
325312
"""List available serving endpoints from the workspace."""
326313
try:
327-
token = _get_token(req)
314+
token = extract_bearer_token(req)
328315
host = _get_host()
329316

330317
url = f"{host}/api/2.0/serving-endpoints"

0 commit comments

Comments
 (0)