From 0742cc0aa48155088eb75fcf8388ec42da6ebe66 Mon Sep 17 00:00:00 2001
From: michael <michael@modernfreedom.com>
Date: Thu, 18 Dec 2025 10:15:37 -0600
Subject: [PATCH] Fix DISABLE_AUTH check in get_current_user dependency
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The auth dependency was requiring the Authorization header before
checking DISABLE_AUTH, causing API endpoints to fail in dev mode.
Now returns mock user immediately when DISABLE_AUTH=true.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 backend/app/dependencies/auth.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/backend/app/dependencies/auth.py b/backend/app/dependencies/auth.py
index b88ec38..9bb8ac9 100644
--- a/backend/app/dependencies/auth.py
+++ b/backend/app/dependencies/auth.py
@@ -6,6 +6,7 @@ Provides dependency functions for securing REST endpoints with Azure AD token ve
 from typing import Optional
 from fastapi import Header, HTTPException, status
 
+from app.config import settings
 from app.services.auth_service import verify_access_token
 
 
@@ -27,6 +28,10 @@ async def get_current_user(authorization: Optional[str] = Header(None)) -> dict:
     Raises:
         HTTPException: 401 if token is missing or invalid
     """
+    # If auth is disabled, return mock user immediately
+    if settings.DISABLE_AUTH:
+        return {"sub": "dev-user", "name": "Development User", "preferred_username": "dev@localhost"}
+
     if not authorization:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,