Skip to content

Dependencies

sentinel_auth.dependencies

FastAPI dependency helpers for extracting auth context from requests.

get_current_user(request)

Extract the authenticated user from request state (set by JWTAuthMiddleware).

Source code in sdk/src/sentinel_auth/dependencies.py 
17
18
19
20
21
22
def get_current_user(request: Request) -> AuthenticatedUser:
    """Extract the authenticated user from request state (set by JWTAuthMiddleware)."""
    user: AuthenticatedUser | None = getattr(request.state, "user", None)
    if user is None:
        raise HTTPException(status_code=401, detail="Not authenticated")
    return user

get_workspace_id(user=Depends(get_current_user))

Extract the workspace ID from the current user's JWT context.

Source code in sdk/src/sentinel_auth/dependencies.py 
25
26
27
def get_workspace_id(user: AuthenticatedUser = Depends(get_current_user)) -> uuid.UUID:
    """Extract the workspace ID from the current user's JWT context."""
    return user.workspace_id

get_workspace_context(user=Depends(get_current_user))

Extract full workspace context from the current user's JWT.

Source code in sdk/src/sentinel_auth/dependencies.py 
30
31
32
33
34
35
36
37
38
39
def get_workspace_context(
    user: AuthenticatedUser = Depends(get_current_user),
) -> WorkspaceContext:
    """Extract full workspace context from the current user's JWT."""
    return WorkspaceContext(
        workspace_id=user.workspace_id,
        workspace_slug=user.workspace_slug,
        user_id=user.user_id,
        role=user.workspace_role,
    )

require_role(minimum_role)

Dependency factory that enforces a minimum workspace role.

Usage

@router.post("/things") async def create_thing(user: AuthenticatedUser = Depends(require_role("editor"))): ...

Source code in sdk/src/sentinel_auth/dependencies.py 
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
def require_role(minimum_role: str) -> Callable:
    """Dependency factory that enforces a minimum workspace role.

    Usage:
        @router.post("/things")
        async def create_thing(user: AuthenticatedUser = Depends(require_role("editor"))):
            ...
    """

    def dependency(
        user: AuthenticatedUser = Depends(get_current_user),
    ) -> AuthenticatedUser:
        if not user.has_role(minimum_role):
            raise HTTPException(
                status_code=403,
                detail=f"Requires at least '{minimum_role}' role, you have '{user.workspace_role}'",
            )
        return user

    return dependency

require_action(role_client, action)

Dependency factory that enforces an RBAC action via the identity service.

Usage

@router.get("/reports/export") async def export(user: AuthenticatedUser = Depends(require_action(roles, "reports:export"))): ...

Source code in sdk/src/sentinel_auth/dependencies.py 
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
def require_action(role_client: RoleClient, action: str) -> Callable:
    """Dependency factory that enforces an RBAC action via the identity service.

    Usage:
        @router.get("/reports/export")
        async def export(user: AuthenticatedUser = Depends(require_action(roles, "reports:export"))):
            ...
    """

    async def dependency(request: Request, user: AuthenticatedUser = Depends(get_current_user)) -> AuthenticatedUser:
        token = request.headers.get("Authorization", "").removeprefix("Bearer ")
        allowed = await role_client.check_action(token, action, user.workspace_id)
        if not allowed:
            raise HTTPException(status_code=403, detail=f"Action '{action}' not permitted")
        return user

    return dependency