CRITICAL: Fix auth gaps on analyze endpoints, sanitize error messages, remove hardcoded JWT (Fixes #849)

.github/pull_request_template.md

@@ -1,35 +1,34 @@
-# 📌 Pull Request Description
+## Description
 
-## 🔗 Related Issue
+<!-- Briefly describe what this PR does -->
 
-Closes #
+## Related Issue
 
-## 📝 Description
+<!-- Link to the related issue -->
+Fixes #<!-- issue number -->
 
-Please include a summary of the changes and the related issue.
+## Type of Change
 
-## ✅ Type of Change
+- [ ] Bug fix (non-breaking change which fixes an issue)
+- [ ] New feature (non-breaking change which adds functionality)
+- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- [ ] Documentation update
+- [ ] Configuration change
 
-* [ ] Bug fix
-* [ ] New feature
-* [ ] Documentation update
-* [x] Chore
-* [ ] UI/UX improvement
-* [ ] Other
+## Checklist
 
-## 🧪 Testing Done
+- [ ] My code follows the project's coding style
+- [ ] I have performed a self-review of my code
+- [ ] I have commented my code where necessary
+- [ ] I have updated the documentation accordingly
+- [ ] My changes generate no new warnings
+- [ ] I have added tests that prove my fix is effective or my feature works
+- [ ] New and existing unit tests pass locally with my changes
 
-* [ ] Tested locally
-* [ ] Existing functionality verified
-* [ ] No new warnings/errors introduced
+## Screenshots (if applicable)
 
-## 📸 Screenshots (if applicable)
+<!-- Add screenshots to show visual changes -->
 
-Add screenshots or proof here.
+## Additional Notes
 
-## ✔️ Checklist
-
-* [ ] My code follows the project guidelines
-* [ ] I reviewed my own changes
-* [ ] I linked the related issue
-* [ ] This PR targets the `gssoc` branch
+<!-- Any additional information that reviewers should know -->

backend/auth_cookie.py

@@ -82,11 +82,11 @@ async def get_current_user(request: Request) -> dict:
     try:
         client = _anon_supabase()
         result = client.auth.get_user(token)
-    except Exception as exc:
+    except Exception:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
-            detail=f"Invalid session: {exc}",
-        ) from exc
+            detail="Invalid session",
+        )
     user = getattr(result, "user", None) or (result.get("user") if isinstance(result, dict) else None)
     if not user:
         raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid session")
@@ -117,13 +117,13 @@ async def auth_login(body: LoginBody, response: Response):
         result = client.auth.sign_in_with_password(
             {"email": str(body.email), "password": body.password}
         )
-    except Exception as exc:
-        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail=str(exc)) from exc
+    except Exception:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid email or password")
 
     session = getattr(result, "session", None)
     user = getattr(result, "user", None)
     if not session or not user:
-        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid credentials")
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid email or password")
 
     _set_session_cookies(response, session)
     user_payload = user.model_dump() if hasattr(user, "model_dump") else dict(user)
@@ -149,8 +149,8 @@ async def auth_signup(body: SignupBody, response: Response):
                 "options": {"data": metadata} if metadata else {},
             }
         )
-    except Exception as exc:
-        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(exc)) from exc
+    except Exception:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Signup failed. Please check your inputs and try again.")
 
     session = getattr(result, "session", None)
     user = getattr(result, "user", None)

backend/main.py

@@ -1993,7 +1993,7 @@ async def search_tickets(
 # ---------------------------------------------------------------------------
 @app.post("/ai/analyze_ticket", response_model=TicketResponse, tags=["AI Analysis"], summary="Full AI ticket analysis (rate-limited)")
 @limiter.limit("10/minute")
-async def analyze_ticket(request_body: TicketRequest, request: Request):
+async def analyze_ticket(request_body: TicketRequest, request: Request, user: dict = Depends(get_current_user)):
     """Main entry point for end-to-end ticket triage. Runs OCR (when an image
     is attached), classification, NER, duplicate check, and RAG lookup, then
     returns the consolidated ``TicketResponse``. Throttled to 10 requests per
@@ -2022,11 +2022,11 @@ async def analyze_ticket(request_body: TicketRequest, request: Request):
 
     # Pass OCR-enriched text downstream so the analyze_only endpoint uses it.
     enriched = request_body.model_copy(update={"text": text, "image_text": local_ocr_text})
-    return await analyze_only(enriched, request)
+    return await analyze_only(enriched, request, user)
 
 @app.post("/ai/analyze")
 @limiter.limit("10/minute")
-async def analyze_only(request_body: TicketRequest, request: Request):
+async def analyze_only(request_body: TicketRequest, request: Request, user: dict = Depends(get_current_user)):
     """
     Centralized analysis logic used by `/ai/analyze`, `/ai/analyze_ticket`, and `/ai/analyze_stream`.
     Returns a serializable dict representing the ticket analysis result.

scratch/test_companies.js

@@ -1,7 +1,7 @@
 const https = require('https');
 
-const SUPABASE_URL = "https://aejuenhqciagpntcqoir.supabase.co";
-const SUPABASE_KEY = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6ImFlanVlbmhxY2lhZ3BudGNxb2lyIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTc3MjM4NDA3OCwiZXhwIjoyMDg3OTYwMDc4fQ.b3tZ_yad4WPQi4oSqGp1ksr_zw-ldByLqZWvT7HX5aQ";
+const SUPABASE_URL = process.env.SUPABASE_URL || "https://aejuenhqciagpntcqoir.supabase.co";
+const SUPABASE_KEY = process.env.SUPABASE_SERVICE_KEY;
 
 const getRequest = (path) => {
   return new Promise((resolve, reject) => {