fix: require workspace context for route aliases

daryllimyt · daryllimyt · commit 2dd2ab538aa2 · 2026-05-04T23:09:34.000-04:00
diff --git a/tests/unit/test_role_acl.py b/tests/unit/test_role_acl.py
@@ -230,6 +230,34 @@ async def api_key_conflict_route(  # pyright: ignore[reportUnusedFunction] - rou
     authenticate_api_key.assert_not_awaited()
 
 
+def test_role_acl_auto_workspace_requires_workspace_context(
+    role_acl_app: FastAPI,
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    authenticate_api_key = AsyncMock()
+    monkeypatch.setattr(credentials, "_authenticate_api_key", authenticate_api_key)
+
+    @role_acl_app.get("/api-key-missing-workspace")
+    async def api_key_missing_workspace_route(  # pyright: ignore[reportUnusedFunction] - route handler
+        role: Role = RoleACL(
+            allow_user=False,
+            allow_api_key=True,
+            require_workspace="yes",
+            workspace_id_in_path="auto",
+        ),
+    ) -> dict[str, str]:
+        return {"role_type": role.type}
+
+    response = TestClient(role_acl_app).get(
+        "/api-key-missing-workspace",
+        headers={"Authorization": "Bearer tc_ws_sk_managed-api-key_secret"},
+    )
+
+    assert response.status_code == 422
+    assert response.json()["detail"] == "workspace_id is required"
+    authenticate_api_key.assert_not_awaited()
+
+
 def test_role_acl_combined_service_and_api_key_route_uses_service_key_fallback(
     role_acl_app: FastAPI,
     monkeypatch: pytest.MonkeyPatch,
diff --git a/tracecat/auth/credentials.py b/tracecat/auth/credentials.py
@@ -896,7 +896,7 @@ async def _role_dependency(
 def _resolve_workspace_id_from_path_or_query(
     request: Request,
     workspace_id_query: uuid.UUID | None,
-) -> uuid.UUID | None:
+) -> uuid.UUID:
     path_value = request.path_params.get("workspace_id")
     path_workspace_id: uuid.UUID | None = None
     if path_value is not None:
@@ -921,7 +921,13 @@ def _resolve_workspace_id_from_path_or_query(
             status_code=status.HTTP_400_BAD_REQUEST,
             detail="Path and query workspace_id values must match",
         )
-    return path_workspace_id or workspace_id_query
+    workspace_id = path_workspace_id or workspace_id_query
+    if workspace_id is None:
+        raise HTTPException(
+            status_code=status.HTTP_422_UNPROCESSABLE_ENTITY,
+            detail="workspace_id is required",
+        )
+    return workspace_id
 
 
 def RoleACL(
