Summary
Since #149/#150, SecurityConfig requires authentication on all endpoints (.anyRequest().authenticated(), only /actuator/health* and swagger paths are permitAll). However, neither in-repo client SDK sends an Authorization header, so every non-health call will receive 401 Unauthorized:
- Java:
src/main/java/preponderous/viron/services/*Service.java (uses RestTemplate with no bearer token).
- Python:
src/main/python/preponderous/viron/services/*Service.py (uses requests with no auth).
Evidence
SecurityConfig.java: .anyRequest().authenticated().grep -rn "Authorization\|Bearer\|token" over both services/ trees returns nothing.
Proposed work
Give both clients a way to attach a bearer token (e.g. a configurable token / token-provider injected into RestTemplate interceptors and the Python requests session), and add tests asserting the header is sent.
Notes
Found during #135 while rebasing onto the #149 auth merge. Pre-existing across all client methods, not introduced by #135.
Filed by Claude on behalf of Daniel Stephenson.
Summary
Since #149/#150,
SecurityConfigrequires authentication on all endpoints (.anyRequest().authenticated(), only/actuator/health*and swagger paths arepermitAll). However, neither in-repo client SDK sends anAuthorizationheader, so every non-health call will receive401 Unauthorized:src/main/java/preponderous/viron/services/*Service.java(usesRestTemplatewith no bearer token).src/main/python/preponderous/viron/services/*Service.py(usesrequestswith no auth).Evidence
SecurityConfig.java:.anyRequest().authenticated().grep -rn "Authorization\|Bearer\|token"over bothservices/trees returns nothing.Proposed work
Give both clients a way to attach a bearer token (e.g. a configurable token / token-provider injected into
RestTemplateinterceptors and the Pythonrequestssession), and add tests asserting the header is sent.Notes
Found during #135 while rebasing onto the #149 auth merge. Pre-existing across all client methods, not introduced by #135.
Filed by Claude on behalf of Daniel Stephenson.