feat(server-utils,auth-server): Allow users to get their own info (#21449)

This closes EXEC-2610.

* Split the `users.read` scope into `users.read.others` and `users.read.self`. Regular users get `users.read.self`, and admins get `users.read.others`.
* Add a new `GET /users/self` endpoint, requiring `users.read.self`.
* Rename the existing endpoints from `/users/{username}` to `/users/byUsername/{username}`. These require `users.read.others`.
* Update the auth utilities in `server_utils` to support this use case. This basically means letting endpoints access some lower-level auth information, so they can implement custom authorization logic themselves, instead of wrapping it all up in a FastAPI dependency.

Author: SyntaxColoring

auth-server/auth_server/users/models.py

@@ -29,12 +29,13 @@ class AccountType(StrEnum):
         # todo(mm, 2026-03-17): Updates should be togglable to admin-only by an auth setting.
         Scope.UPDATES_WRITE,
         # todo(mm, 2026-03-17): Protocol uploads should be togglable to admin-only by an auth setting.
+        Scope.USERS_READ_SELF,
         Scope.PROTOCOLS_WRITE,
     },
     # Auditors should have read-only access to everything. Our read-only endpoints are
     # mostly accessible without authentication, but there are some exceptions. This
     # just needs to have the scopes to cover those exceptions.
-    AccountType.AUDITOR: {Scope.USERS_READ},
+    AccountType.AUDITOR: {Scope.USERS_READ_OTHERS},
 }
 
 

auth-server/auth_server/users/router.py

@@ -2,7 +2,13 @@
 
 import fastapi
 
-from server_utils.auth.resource_server.fastapi import require_scopes
+from server_utils.auth.resource_server.authorization_checker import (
+    AuthorizationNotRequiredResult,
+)
+from server_utils.auth.resource_server.fastapi import (
+    RequireScopesResult,
+    require_scopes,
+)
 from server_utils.auth.scopes import Scope
 from server_utils.fastapi_utils.models.json_api import (
     PydanticResponse,
@@ -11,8 +17,6 @@
     SimpleEmptyBody,
 )
 
-from auth_server.oauth2.backend import Backend
-from auth_server.oauth2.fastapi_dependencies import get_oauth2_backend
 from auth_server.users.dependencies import get_user_data_manager
 from auth_server.users.models import UpdateUser, UserCreate, UserResponse
 from auth_server.users.user_data_manager import (
@@ -36,9 +40,7 @@
     dependencies=[fastapi.Depends(require_scopes(Scope.USERS_WRITE))],
 )
 async def post_users(
-    request: fastapi.Request,
     request_body: RequestModel[UserCreate],
-    oauth2_backend: Annotated[Backend, fastapi.Depends(get_oauth2_backend)],
     user_data_manager: Annotated[
         UserDataManager, fastapi.Depends(get_user_data_manager)
     ],
@@ -72,19 +74,17 @@ async def post_users(
 
 @PydanticResponse.wrap_route(
     router.get,
-    path="/auth/users/{userName}",
-    summary="Get a user information",
-    description="Get a specific user by its unique identifier.",
+    path="/auth/users/byUsername/{userName}",
+    summary="Get a user",
+    description="Get a specific user, identified by their unique username.",
     responses={
         fastapi.status.HTTP_200_OK: {"model": SimpleBody[UserResponse]},
         fastapi.status.HTTP_404_NOT_FOUND: {"userNotFound": None},
     },
-    dependencies=[fastapi.Depends(require_scopes(Scope.USERS_READ))],
+    dependencies=[fastapi.Depends(require_scopes(Scope.USERS_READ_OTHERS))],
 )
 async def get_user(
-    request: fastapi.Request,
     userName: str,
-    oauth2_backend: Annotated[Backend, fastapi.Depends(get_oauth2_backend)],
     user_data_manager: Annotated[
         UserDataManager, fastapi.Depends(get_user_data_manager)
     ],
@@ -105,18 +105,16 @@ async def get_user(
 
 @PydanticResponse.wrap_route(
     router.delete,
-    path="/auth/users/{userName}",
+    path="/auth/users/byUsername/{userName}",
     summary="Delete a user",
-    description="Delete a specific user by its unique identifier.",
+    description="Delete a specific user, identified by their unique username.",
     responses={
         fastapi.status.HTTP_204_NO_CONTENT: {"description": "User deleted"},
     },
     dependencies=[fastapi.Depends(require_scopes(Scope.USERS_WRITE))],
 )
 async def delete_user(
-    request: fastapi.Request,
     userName: str,
-    oauth2_backend: Annotated[Backend, fastapi.Depends(get_oauth2_backend)],
     user_data_manager: Annotated[
         UserDataManager, fastapi.Depends(get_user_data_manager)
     ],
@@ -137,19 +135,17 @@ async def delete_user(
 
 @PydanticResponse.wrap_route(
     router.patch,
-    path="/auth/users/{userName}",
+    path="/auth/users/byUsername/{userName}",
     summary="Update a user",
-    description="Update a specific user by its unique identifier.",
+    description="Update a specific user, identified by their unique username.",
     responses={
         fastapi.status.HTTP_200_OK: {"model": SimpleBody[UserResponse]},
     },
     dependencies=[fastapi.Depends(require_scopes(Scope.USERS_WRITE))],
 )
 async def update_user(
-    request: fastapi.Request,
     request_body: RequestModel[UpdateUser],
     userName: str,
-    oauth2_backend: Annotated[Backend, fastapi.Depends(get_oauth2_backend)],
     user_data_manager: Annotated[
         UserDataManager, fastapi.Depends(get_user_data_manager)
     ],
@@ -187,3 +183,39 @@ async def update_user(
         status_code=fastapi.status.HTTP_200_OK,
         content=SimpleBody(data=updated_user),
     )
+
+
+@PydanticResponse.wrap_route(
+    router.get,
+    path="/auth/users/self",
+    summary="Get the currently logged-in user",
+    description=(
+        'The "currently logged-in user" is determined from the OAuth 2 access token'
+        " that you attach to your request to this endpoint."
+        " See the `/auth/oauth2` endpoints."
+    ),
+    responses={fastapi.status.HTTP_401_UNAUTHORIZED: {}},
+)
+async def get_self(  # noqa: D103
+    authorization_details: Annotated[
+        RequireScopesResult, fastapi.Depends(require_scopes(Scope.USERS_READ_SELF))
+    ],
+    user_data_manager: Annotated[
+        UserDataManager, fastapi.Depends(get_user_data_manager)
+    ],
+) -> PydanticResponse[SimpleBody[UserResponse]]:
+    if isinstance(authorization_details, AuthorizationNotRequiredResult):
+        raise fastapi.HTTPException(
+            status_code=fastapi.status.HTTP_401_UNAUTHORIZED,
+            detail="This endpoint needs an access token to determine the current user.",
+        )
+
+    # Note: No try/except for UserNotFoundError. If the user passed `require_scopes()`,
+    # but we can't find them here, then that's some kind of server bug and we want to
+    # let it propagate with HTTP error code 500.
+    user = user_data_manager.get_user(authorization_details.username)
+
+    return await PydanticResponse.create(
+        status_code=fastapi.status.HTTP_200_OK,
+        content=SimpleBody(data=user),
+    )

auth-server/tests/integration/test_failed_login_lockout.tavern.yaml

@@ -120,7 +120,7 @@ stages:
   - name: Use admin credentials to see the lockout
     request:
       method: GET
-      url: '{run_server.base_url}/auth/users/test_user'
+      url: '{run_server.base_url}/auth/users/byUsername/test_user'
       headers:
         Authorization: '{admin_access_token}'
     response:
@@ -134,7 +134,7 @@ stages:
   - name: Use admin credentials to clear the lockout
     request:
       method: PATCH
-      url: '{run_server.base_url}/auth/users/test_user'
+      url: '{run_server.base_url}/auth/users/byUsername/test_user'
       headers:
         Authorization: '{admin_access_token}'
       json:

auth-server/tests/integration/test_protected_resource_access.tavern.yaml

@@ -52,15 +52,15 @@ stages:
         grant_type: password
         username: test_admin
         password: test_admin_password
-        scope: users.read # Omit users.write.
+        scope: users.read.others # Omit users.write.
     response:
       status_code: 200
       json:
         access_token: !anystr
         refresh_token: !anystr
         expires_in: !anyint
         token_type: Bearer
-        scope: users.read
+        scope: users.read.others
       save:
         json:
           access_token: access_token

auth-server/tests/integration/test_user_crud_flows.tavern.yaml

@@ -51,7 +51,7 @@ stages:
   - name: Get a user information
     request:
       method: GET
-      url: '{run_server.base_url}/auth/users/test_new_user'
+      url: '{run_server.base_url}/auth/users/byUsername/test_new_user'
       headers:
         Authorization: '{admin_access_token}'
     response:
@@ -68,7 +68,7 @@ stages:
   - name: Update the user
     request:
       method: PATCH
-      url: '{run_server.base_url}/auth/users/test_new_user'
+      url: '{run_server.base_url}/auth/users/byUsername/test_new_user'
       json:
         data:
           fullName: Test New User Updated
@@ -89,7 +89,7 @@ stages:
   - name: Update the username and password
     request:
       method: PATCH
-      url: '{run_server.base_url}/auth/users/test_new_user'
+      url: '{run_server.base_url}/auth/users/byUsername/test_new_user'
       json:
         data:
           userName: test_new_user_updated
@@ -105,12 +105,12 @@ stages:
           userName: test_new_user_updated
           locked: false
           scopes: !force_original_structure '{admin_scopes_list}'
-          resetPassword: false  
+          resetPassword: false
 
   - name: Update the reset password flag
     request:
       method: PATCH
-      url: '{run_server.base_url}/auth/users/test_new_user_updated'
+      url: '{run_server.base_url}/auth/users/byUsername/test_new_user_updated'
       json:
         data:
           resetPassword: true
@@ -130,7 +130,7 @@ stages:
   - name: Get the user information
     request:
       method: GET
-      url: '{run_server.base_url}/auth/users/test_new_user_updated'
+      url: '{run_server.base_url}/auth/users/byUsername/test_new_user_updated'
       headers:
         Authorization: '{admin_access_token}'
     response:
@@ -163,7 +163,7 @@ stages:
   - name: Delete the user
     request:
       method: DELETE
-      url: '{run_server.base_url}/auth/users/test_new_user_updated'
+      url: '{run_server.base_url}/auth/users/byUsername/test_new_user_updated'
       headers:
         Authorization: '{admin_access_token}'
     response:
@@ -172,8 +172,137 @@ stages:
   - name: Try to get the deleted user
     request:
       method: GET
-      url: '{run_server.base_url}/auth/users/test_new_user_updated'
+      url: '{run_server.base_url}/auth/users/byUsername/test_new_user_updated'
       headers:
         Authorization: '{admin_access_token}'
     response:
       status_code: 404
+
+---
+test_name: Letting users read their own info
+
+marks:
+  - usefixtures:
+      - run_server
+      - admin_access_token
+
+stages:
+  - name: Enable access control mode
+    request:
+      method: PATCH
+      url: '{run_server.base_url}/auth/settings/accessControlEnabled'
+      headers:
+        Authorization: '{admin_access_token}'
+      json:
+        data:
+          accessControlEnabled: true
+    response:
+      status_code: 200
+      json:
+        data:
+          accessControlEnabled: true
+      strict:
+        - json:off
+
+  - name: Create regular user 1
+    request:
+      method: POST
+      url: '{run_server.base_url}/auth/users'
+      json:
+        data:
+          userName: regular_user_1
+          password: securepassword123
+          fullName: Regular User 1
+          accountType: user
+      headers:
+        Authorization: '{admin_access_token}'
+    response:
+      status_code: 201
+      save:
+        json:
+          regular_user_1_data: data
+
+  - name: Create regular user 2
+    request:
+      method: POST
+      url: '{run_server.base_url}/auth/users'
+      json:
+        data:
+          userName: regular_user_2
+          password: securepassword123
+          fullName: Regular User 2
+          accountType: user
+      headers:
+        Authorization: '{admin_access_token}'
+    response:
+      status_code: 201
+      save:
+        json:
+          regular_user_2_data: data
+
+  - name: Log in as regular user 1 and get an access token
+    request:
+      method: POST
+      url: '{run_server.base_url}/auth/oauth2/token'
+      data:
+        client_id: opentrons_app
+        grant_type: password
+        username: regular_user_1
+        password: securepassword123
+    response:
+      status_code: 200
+      json:
+        access_token: !anystr
+      strict:
+        - json:off
+      save:
+        json:
+          regular_user_1_access_token: access_token
+
+  - name: Log in as regular user 2 and get an access token
+    request:
+      method: POST
+      url: '{run_server.base_url}/auth/oauth2/token'
+      data:
+        client_id: opentrons_app
+        grant_type: password
+        username: regular_user_2
+        password: securepassword123
+    response:
+      status_code: 200
+      json:
+        access_token: !anystr
+      strict:
+        - json:off
+      save:
+        json:
+          regular_user_2_access_token: access_token
+
+  - name: Unauthorized requests should be rejected
+    request:
+      method: GET
+      url: '{run_server.base_url}/auth/users/self'
+    response:
+      status_code: 401
+
+  - name: Regular user 1 should be able to get their own info
+    request:
+      method: GET
+      url: '{run_server.base_url}/auth/users/self'
+      headers:
+        authorization: 'Bearer {regular_user_1_access_token}'
+    response:
+      status_code: 200
+      json:
+        data: !force_original_structure '{regular_user_1_data}'
+
+  - name: Regular user 2 should be able to get their own info
+    request:
+      method: GET
+      url: '{run_server.base_url}/auth/users/self'
+      headers:
+        authorization: 'Bearer {regular_user_2_access_token}'
+    response:
+      status_code: 200
+      json:
+        data: !force_original_structure '{regular_user_2_data}'

server-utils/server_utils/auth/resource_server/auth_server.py

@@ -131,6 +131,7 @@ class TokenIntrospectionResponse(_StrictBaseModel):
 
     active: bool
     scope: str = ""
+    username: str | None = None
 
 
 class TokenIntrospectionRequestFormData(typing.TypedDict):