Skip to content

fix(auth): session-OR-key for dashboard endpoints still on key-only (UNIFIED BALANCE 401)#31

Merged
WayforthOfficial merged 1 commit into
mainfrom
fix/session-auth-dashboard-endpoints
Jun 20, 2026
Merged

fix(auth): session-OR-key for dashboard endpoints still on key-only (UNIFIED BALANCE 401)#31
WayforthOfficial merged 1 commit into
mainfrom
fix/session-auth-dashboard-endpoints

Conversation

@WayforthOfficial

@WayforthOfficial WayforthOfficial commented Jun 20, 2026

Copy link
Copy Markdown
Owner

Root cause

The dashboard authenticates by wf_session cookie. GET /billing/balance still required X-Wayforth-API-Key (never got PR #25's resolve_dashboard_caller treatment), so the UNIFIED BALANCE widget 401'd and the UI fell back to a hardcoded 100 — while the account was actually Growth/240k.

Audit + fix

Grepped every route still on key-only auth and converted the consumer-dashboard set to session-OR-key via resolve_dashboard_caller (same pattern as #25). AdditiveX-Wayforth-API-Key still works for programmatic clients. Each resolves the caller's primary active key by id for the billing/usage display fields, so the key-path behaviour is unchanged.

Converted (12): /billing/balance, /dashboard, /keys/usage, POST /auth/regenerate-key, /billing/invoice/{year}/{month}, GET+PATCH /billing/settings, POST /billing/cancel, POST+GET /webhooks/wri-alerts, DELETE /webhooks/wri-alerts/{alert_id}, DELETE /webhooks/{webhook_id}.

Left key-only (correct — programmatic SDK/agent surface): POST /execute, /run, /pay. /auth/me already accepts the cookie (separate path).

Flagged, not converted (ambiguous provider/dev use — confirm if the dashboard calls them): /health-report, POST /call/keys/add, POST /submit, /identity/{agent_id}/history, and remaining webhook plumbing (register, GET /webhooks, deliveries, retry).

Verify

Post-deploy: /billing/balance returns 240,000 over session auth; the home widget shows 240k.

🤖 Generated with Claude Code

@MytelligentPRV @claude
fix(auth): session-OR-key for the dashboard endpoints still on key-only
53d9865 
The dashboard authenticates by wf_session cookie and has no raw API key to send.
GET /billing/balance still required X-Wayforth-API-Key (never got PR #25's
resolve_dashboard_caller treatment), 401'd the UNIFIED BALANCE widget, and the
UI fell back to a hardcoded 100 — while the account was actually Growth/240k.

Audited every route still on key-only auth and converted the consumer-dashboard
set to session-OR-key via resolve_dashboard_caller (same pattern as #25). The
conversion is additive — X-Wayforth-API-Key still works for programmatic clients.

Converted:
  GET   /billing/balance            (the reported bug)
  GET   /dashboard
  GET   /keys/usage
  POST  /auth/regenerate-key
  GET   /billing/invoice/{year}/{month}
  GET   /billing/settings
  PATCH /billing/settings
  POST  /billing/cancel
  POST  /webhooks/wri-alerts
  GET   /webhooks/wri-alerts
  DELETE /webhooks/wri-alerts/{alert_id}
  DELETE /webhooks/{webhook_id}

Each resolves the caller's primary active api_key by id (caller["api_key_id"])
for the billing/usage display fields, so behaviour is identical to the key path.

Deliberately LEFT key-only (programmatic SDK/agent surface — browsers never call
these): POST /execute, POST /run, POST /pay. /auth/me already accepts the session
cookie (separate path). Flagged-but-not-converted (ambiguous provider/dev use):
/health-report, POST /call/keys/add, POST /submit, /identity/{agent_id}/history,
and the remaining webhook plumbing (register, list, deliveries, retry).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@WayforthOfficial WayforthOfficial merged commit a8d706a into main Jun 20, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@WayforthOfficial @MytelligentPRV