Auth policy: make auth_required enforce even without tokens; fix tests flakiness via serial; correct Authorization header in test; update docs

Author: iOS E2E Implementation

crates/control-plane/src/auth.rs

@@ -96,7 +96,9 @@ fn ct_eq(a: &[u8], b: &[u8]) -> bool {
 }
 
 pub fn is_auth_enabled(cfg: &AuthStore) -> bool {
-	cfg.auth_required && !cfg.by_hash.is_empty()
+	// If auth is required, enforce it even if no tokens are configured.
+	// Missing or unknown tokens will correctly yield 401, and insufficient scope will yield 403.
+	cfg.auth_required
 }
 
 pub async fn auth_middleware(mut req: Request, next: Next, store: Arc<AuthStore>) -> Result<axum::response::Response, axum::response::Response> {

crates/control-plane/tests/auth_policy.rs

@@ -1,9 +1,15 @@
 use axum::{http::{Request, StatusCode}, body::Body};
 use tower::util::ServiceExt;
 use sqlx::PgPool;
+use serial_test::serial;
 
 #[tokio::test]
+#[serial]
 async fn cors_rejects_disallowed_origin() {
+    // Reset env that may be set by other tests
+    std::env::remove_var("AETHER_AUTH_REQUIRED");
+    std::env::remove_var("AETHER_API_TOKENS");
+    std::env::remove_var("AETHER_CORS_ALLOWED_ORIGINS");
     std::env::set_var("AETHER_DISABLE_BACKGROUND", "1");
     std::env::set_var("AETHER_DISABLE_WATCH", "1");
     std::env::set_var("AETHER_DISABLE_K8S", "1");
@@ -21,9 +27,11 @@ async fn cors_rejects_disallowed_origin() {
 }
 
 #[tokio::test]
+#[serial]
 async fn auth_returns_401_for_missing_token() {
     std::env::set_var("AETHER_AUTH_REQUIRED", "1");
     std::env::remove_var("AETHER_API_TOKENS");
+    std::env::remove_var("AETHER_CORS_ALLOWED_ORIGINS");
     std::env::set_var("AETHER_DISABLE_BACKGROUND", "1");
     std::env::set_var("AETHER_DISABLE_WATCH", "1");
     std::env::set_var("AETHER_DISABLE_K8S", "1");
@@ -38,10 +46,12 @@ async fn auth_returns_401_for_missing_token() {
 }
 
 #[tokio::test]
+#[serial]
 async fn auth_returns_403_for_invalid_scope() {
     // Enable auth with a reader token and require admin for write endpoints
     std::env::set_var("AETHER_AUTH_REQUIRED", "1");
     std::env::set_var("AETHER_API_TOKENS", "t_reader:reader:bob");
+    std::env::remove_var("AETHER_CORS_ALLOWED_ORIGINS");
     std::env::set_var("AETHER_DISABLE_BACKGROUND", "1");
     std::env::set_var("AETHER_DISABLE_WATCH", "1");
     std::env::set_var("AETHER_DISABLE_K8S", "1");
@@ -50,7 +60,7 @@ async fn auth_returns_403_for_invalid_scope() {
     let req = Request::builder()
         .method("POST")
         .uri("/apps")
-        .header("Authorization", "Bearer t_reader:reader:bob")
+        .header("Authorization", "Bearer t_reader")
         .header("content-type","application/json")
         .body(Body::from("{\"name\":\"x\"}"))
         .unwrap();

docs/issues/20-epic-G-tls-auth-policy.md

@@ -16,14 +16,14 @@ Tasks
   - CORS config via values.yaml and Axum CORS layer
   - Auth middleware enforces scopes; returns 401 for missing/invalid token, 403 for insufficient scope
   - Integration tests for CORS and auth responses (401/403) in control-plane/tests/auth_policy.rs
-  - All tests pass except one edge case (403 test returns 401; matches current logic)
+  - Note: Test fixed to send only the bare token in Authorization header ("Bearer <token>") so insufficient scope yields 403 as designed.
 
 Dependencies
 - Helm chart from Sprint 1
 
 DoD
 - HTTPS path verified; curl against TLS endpoint works (see docs/helm/tls.md)
-- Auth tests green (except 401/403 edge case); docs updated
+- Auth tests green; docs updated
 Implementation Notes
 - Helm chart values.yaml: added tls.enabled, tls.secretName, tls.selfSigned, tokens.rotation, tokens.scopes, cors.allowedOrigins
 - Ingress template: supports both legacy ingress.tls and new tls.* keys