fix: set oauth2 auto_error=False so IP whitelist works without token

OAuth2PasswordBearer with auto_error=True rejected tokenless requests
before ip_whitelist_or_auth could check the client IP. Set auto_error
to always be False so localhost requests bypass auth as intended.

Remove test for deleted scheduler.py and clean up dev mode test that
no longer needs to patch auto_error.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: pythoninthegrass

app/main.py

@@ -168,7 +168,7 @@ class UserInDB(User):
     hashed_password: str
 
 
-oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token", auto_error=not DEV)
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token", auto_error=False)
 
 
 def verify_password(plain_password, hashed_password):

tests/test_unit.py

@@ -422,22 +422,14 @@ def test_get_current_schedule(test_client, auth_headers):
 
 @pytest.mark.unit
 def test_dev_mode_bypasses_auth_for_local_requests(raw_test_client):
-    """When DEV=True, localhost requests should not require authentication.
-
-    oauth2_scheme is constructed at import time with auto_error=not DEV.
-    Since DEV is False during test collection, auto_error is True and the
-    scheme rejects tokenless requests before ip_whitelist_or_auth runs.
-    We must also patch auto_error on the live instance.
-    """
-    from main import oauth2_scheme
+    """When DEV=True, localhost requests should not require authentication."""
 
     mock_schedule_obj = MagicMock(
         day="Monday", schedule_time="10:00", enabled=True, snooze_until=None, original_schedule_time="10:00"
     )
 
     with (
         patch('main.DEV', True),
-        patch.object(oauth2_scheme, 'auto_error', False),
         patch('main.check_and_revert_snooze'),
         patch('main.get_schedule', return_value=mock_schedule_obj),
         patch('main.db_session') as mock_db_sess,
@@ -859,12 +851,6 @@ def test_no_requests_import_in_sign_jwt(self):
         assert "import requests" not in source, "sign_jwt.py still imports requests"
         assert "import httpx" in source, "sign_jwt.py should import httpx"
 
-    def test_no_requests_import_in_scheduler(self):
-        """scheduler should not import the requests library."""
-        source = (Path(__file__).resolve().parent.parent / "app" / "scheduler.py").read_text()
-        assert "import requests" not in source, "scheduler.py still imports requests"
-        assert "import httpx" in source, "scheduler.py should import httpx"
-
     def test_get_access_token_uses_httpx_client(self):
         """get_access_token function body should use httpx.Client."""
         source = (Path(__file__).resolve().parent.parent / "app" / "sign_jwt.py").read_text()