auth: allow account access without group claims

ariadne/app.py

@@ -129,6 +129,8 @@ def _require_admin(ctx: AuthContext) -> None:
 def _require_account_access(ctx: AuthContext) -> None:
     if not settings.account_allowed_groups:
         return
+    if not ctx.groups:
+        return
     if set(ctx.groups).intersection(settings.account_allowed_groups):
         return
     raise HTTPException(status_code=403, detail="forbidden")

tests/test_app.py

@@ -89,7 +89,7 @@ def test_forbidden_admin(monkeypatch) -> None:
 
 
 def test_account_access_denied(monkeypatch) -> None:
-    ctx = AuthContext(username="alice", email="", groups=[], claims={})
+    ctx = AuthContext(username="alice", email="", groups=["guest"], claims={})
     client = _client(monkeypatch, ctx)
 
     resp = client.post(
@@ -99,6 +99,17 @@ def test_account_access_denied(monkeypatch) -> None:
     assert resp.status_code == 403
 
 
+def test_account_access_allows_missing_groups(monkeypatch) -> None:
+    ctx = AuthContext(username="alice", email="", groups=[], claims={})
+    client = _client(monkeypatch, ctx)
+
+    resp = client.post(
+        "/api/account/firefly/reset",
+        headers={"Authorization": "Bearer token"},
+    )
+    assert resp.status_code != 403
+
+
 def test_metrics_endpoint(monkeypatch) -> None:
     ctx = AuthContext(username="", email="", groups=[], claims={})
     client = _client(monkeypatch, ctx)