diff --git a/.env.template b/.env.template index 84dc46d1c..ee62f1d3d 100644 --- a/.env.template +++ b/.env.template @@ -124,6 +124,10 @@ ALLOW_HTTP_REQUESTS=True # When set to False errors during data processing will be returned as info but not raised to allow handling of faulty documents RAISE_INCREMENTAL_LOADING_ERRORS=True +# When set to True, the Cognee backend will require authentication for requests to the API. +# If you're disabling this, make sure to also disable ENABLE_BACKEND_ACCESS_CONTROL. +REQUIRE_AUTHENTICATION=False + # Set this variable to True to enforce usage of backend access control for Cognee # Note: This is only currently supported by the following databases: # Relational: SQLite, Postgres diff --git a/cognee/api/client.py b/cognee/api/client.py index 215e4a17e..7588638c3 100644 --- a/cognee/api/client.py +++ b/cognee/api/client.py @@ -33,6 +33,7 @@ from cognee.api.v1.users.routers import ( get_users_router, get_visualize_router, ) +from cognee.modules.users.methods.get_authenticated_user import REQUIRE_AUTHENTICATION logger = get_logger() @@ -110,7 +111,11 @@ def custom_openapi(): }, } - openapi_schema["security"] = [{"BearerAuth": []}, {"CookieAuth": []}] + if REQUIRE_AUTHENTICATION: + openapi_schema["security"] = [{"BearerAuth": []}, {"CookieAuth": []}] + + # Remove global security requirement - let individual endpoints specify their own security + # openapi_schema["security"] = [{"BearerAuth": []}, {"CookieAuth": []}] app.openapi_schema = openapi_schema diff --git a/cognee/api/health.py b/cognee/api/health.py index 0bfbca806..bdb3b1fe3 100644 --- a/cognee/api/health.py +++ b/cognee/api/health.py @@ -53,7 +53,7 @@ class HealthChecker: # Test connection by creating a session session = engine.get_session() if session: - await session.close() + session.close() response_time = int((time.time() - start_time) * 1000) return ComponentHealth( @@ -190,14 +190,13 @@ class HealthChecker: """Check LLM provider health (non-critical).""" start_time = time.time() try: - from cognee.infrastructure.llm.get_llm_client import get_llm_client + from cognee.infrastructure.llm.LLMGateway import LLMGateway from cognee.infrastructure.llm.config import get_llm_config config = get_llm_config() # Test actual API connection with minimal request - client = get_llm_client() - await client.show_prompt("test", "test") + LLMGateway.show_prompt("test", "test") response_time = int((time.time() - start_time) * 1000) return ComponentHealth( diff --git a/cognee/api/v1/datasets/routers/get_datasets_router.py b/cognee/api/v1/datasets/routers/get_datasets_router.py index 8052e3864..ff310e4b4 100644 --- a/cognee/api/v1/datasets/routers/get_datasets_router.py +++ b/cognee/api/v1/datasets/routers/get_datasets_router.py @@ -114,7 +114,8 @@ def get_datasets_router() -> APIRouter: @router.post("", response_model=DatasetDTO) async def create_new_dataset( - dataset_data: DatasetCreationPayload, user: User = Depends(get_authenticated_user) + dataset_data: DatasetCreationPayload, + user: User = Depends(get_authenticated_user), ): """ Create a new dataset or return existing dataset with the same name. diff --git a/cognee/modules/users/methods/__init__.py b/cognee/modules/users/methods/__init__.py index 969615b89..5d45df97b 100644 --- a/cognee/modules/users/methods/__init__.py +++ b/cognee/modules/users/methods/__init__.py @@ -4,4 +4,7 @@ from .delete_user import delete_user from .get_default_user import get_default_user from .get_user_by_email import get_user_by_email from .create_default_user import create_default_user -from .get_authenticated_user import get_authenticated_user +from .get_authenticated_user import ( + get_authenticated_user, + REQUIRE_AUTHENTICATION, +) diff --git a/cognee/modules/users/methods/get_authenticated_user.py b/cognee/modules/users/methods/get_authenticated_user.py index b60ddfe28..a2dd2330e 100644 --- a/cognee/modules/users/methods/get_authenticated_user.py +++ b/cognee/modules/users/methods/get_authenticated_user.py @@ -1,48 +1,42 @@ +import os +from typing import Optional +from fastapi import Depends, HTTPException +from ..models import User from ..get_fastapi_users import get_fastapi_users +from .get_default_user import get_default_user +from cognee.shared.logging_utils import get_logger +logger = get_logger("get_authenticated_user") + +# Check environment variable to determine authentication requirement +REQUIRE_AUTHENTICATION = ( + os.getenv("REQUIRE_AUTHENTICATION", "false").lower() == "true" + or os.getenv("ENABLE_BACKEND_ACCESS_CONTROL", "false").lower() == "true" +) + fastapi_users = get_fastapi_users() -get_authenticated_user = fastapi_users.current_user(active=True) - -# from types import SimpleNamespace - -# from ..get_fastapi_users import get_fastapi_users -# from fastapi import HTTPException, Security -# from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials -# import os -# import jwt - -# from uuid import UUID - -# fastapi_users = get_fastapi_users() - -# # Allows Swagger to understand authorization type and allow single sign on for the Swagger docs to test backend -# bearer_scheme = HTTPBearer(scheme_name="BearerAuth", description="Paste **Bearer <JWT>**") +_auth_dependency = fastapi_users.current_user(active=True, optional=not REQUIRE_AUTHENTICATION) -# async def get_authenticated_user( -# creds: HTTPAuthorizationCredentials = Security(bearer_scheme), -# ) -> SimpleNamespace: -# """ -# Extract and validate the JWT presented in the Authorization header. -# """ -# if creds is None: # header missing -# raise HTTPException(status_code=401, detail="Not authenticated") +async def get_authenticated_user( + user: Optional[User] = Depends(_auth_dependency), +) -> User: + """ + Get authenticated user with environment-controlled behavior: + - If REQUIRE_AUTHENTICATION=true: Enforces authentication (raises 401 if not authenticated) + - If REQUIRE_AUTHENTICATION=false: Falls back to default user if not authenticated -# if creds.scheme.lower() != "bearer": # shouldn't happen extra guard -# raise HTTPException(status_code=401, detail="Invalid authentication scheme") + Always returns a User object for consistent typing. + """ + if user is None: + # When authentication is optional and user is None, use default user + try: + user = await get_default_user() + except Exception as e: + # Convert any get_default_user failure into a proper HTTP 500 error + logger.error(f"Failed to create default user: {str(e)}") + raise HTTPException(status_code=500, detail=f"Failed to create default user: {str(e)}") -# token = creds.credentials -# try: -# payload = jwt.decode( -# token, os.getenv("FASTAPI_USERS_JWT_SECRET", "super_secret"), algorithms=["HS256"] -# ) - -# auth_data = SimpleNamespace(id=UUID(payload["user_id"])) -# return auth_data - -# except jwt.ExpiredSignatureError: -# raise HTTPException(status_code=401, detail="Token has expired") -# except jwt.InvalidTokenError: -# raise HTTPException(status_code=401, detail="Invalid token") + return user diff --git a/cognee/tests/unit/api/__init__.py b/cognee/tests/unit/api/__init__.py new file mode 100644 index 000000000..2b1755712 --- /dev/null +++ b/cognee/tests/unit/api/__init__.py @@ -0,0 +1 @@ +# Test package for API tests diff --git a/cognee/tests/unit/api/test_conditional_authentication_endpoints.py b/cognee/tests/unit/api/test_conditional_authentication_endpoints.py new file mode 100644 index 000000000..2eabee91a --- /dev/null +++ b/cognee/tests/unit/api/test_conditional_authentication_endpoints.py @@ -0,0 +1,246 @@ +import pytest +from unittest.mock import patch, AsyncMock, MagicMock +from uuid import uuid4 +from fastapi.testclient import TestClient +from types import SimpleNamespace +import importlib + +from cognee.api.client import app + + +# Fixtures for reuse across test classes +@pytest.fixture +def mock_default_user(): + """Mock default user for testing.""" + return SimpleNamespace( + id=uuid4(), email="default@example.com", is_active=True, tenant_id=uuid4() + ) + + +@pytest.fixture +def mock_authenticated_user(): + """Mock authenticated user for testing.""" + from cognee.modules.users.models import User + + return User( + id=uuid4(), + email="auth@example.com", + hashed_password="hashed", + is_active=True, + is_verified=True, + tenant_id=uuid4(), + ) + + +gau_mod = importlib.import_module("cognee.modules.users.methods.get_authenticated_user") + + +class TestConditionalAuthenticationEndpoints: + """Test that API endpoints work correctly with conditional authentication.""" + + @pytest.fixture + def client(self): + """Create a test client.""" + return TestClient(app) + + def test_health_endpoint_no_auth_required(self, client): + """Test that health endpoint works without authentication.""" + response = client.get("/health") + assert response.status_code in [200, 503] # 503 is also acceptable for health checks + + def test_root_endpoint_no_auth_required(self, client): + """Test that root endpoint works without authentication.""" + response = client.get("/") + assert response.status_code == 200 + assert response.json() == {"message": "Hello, World, I am alive!"} + + @patch( + "cognee.api.client.REQUIRE_AUTHENTICATION", + False, + ) + def test_openapi_schema_no_global_security(self, client): + """Test that OpenAPI schema doesn't require global authentication.""" + response = client.get("/openapi.json") + assert response.status_code == 200 + + schema = response.json() + + # Should not have global security requirement + global_security = schema.get("security", []) + assert global_security == [] + + # But should still have security schemes defined + security_schemes = schema.get("components", {}).get("securitySchemes", {}) + assert "BearerAuth" in security_schemes + assert "CookieAuth" in security_schemes + + @patch("cognee.api.v1.add.add") + @patch.object(gau_mod, "get_default_user", new_callable=AsyncMock) + @patch( + "cognee.api.client.REQUIRE_AUTHENTICATION", + False, + ) + def test_add_endpoint_with_conditional_auth( + self, mock_get_default_user, mock_add, client, mock_default_user + ): + """Test add endpoint works with conditional authentication.""" + mock_get_default_user.return_value = mock_default_user + mock_add.return_value = MagicMock( + model_dump=lambda: {"status": "success", "pipeline_run_id": str(uuid4())} + ) + + # Test file upload without authentication + files = {"data": ("test.txt", b"test content", "text/plain")} + form_data = {"datasetName": "test_dataset"} + + response = client.post("/api/v1/add", files=files, data=form_data) + + assert mock_get_default_user.call_count == 1 + + # Core test: authentication is not required (should not get 401) + assert response.status_code != 401 + + @patch.object(gau_mod, "get_default_user", new_callable=AsyncMock) + @patch( + "cognee.api.client.REQUIRE_AUTHENTICATION", + False, + ) + def test_conditional_authentication_works_with_current_environment( + self, mock_get_default_user, client + ): + """Test that conditional authentication works with the current environment setup.""" + # Since REQUIRE_AUTHENTICATION defaults to "false", we expect endpoints to work without auth + # This tests the actual integration behavior + + mock_get_default_user.return_value = SimpleNamespace( + id=uuid4(), email="default@example.com", is_active=True, tenant_id=uuid4() + ) + + files = {"data": ("test.txt", b"test content", "text/plain")} + form_data = {"datasetName": "test_dataset"} + + response = client.post("/api/v1/add", files=files, data=form_data) + + assert mock_get_default_user.call_count == 1 + + # Core test: authentication is not required (should not get 401) + assert response.status_code != 401 + # Note: This test verifies conditional authentication works in the current environment + + +class TestConditionalAuthenticationBehavior: + """Test the behavior of conditional authentication across different endpoints.""" + + @pytest.fixture + def client(self): + return TestClient(app) + + @pytest.mark.parametrize( + "endpoint,method", + [ + ("/api/v1/search", "GET"), + ("/api/v1/datasets", "GET"), + ], + ) + @patch.object(gau_mod, "get_default_user", new_callable=AsyncMock) + def test_get_endpoints_work_without_auth( + self, mock_get_default, client, endpoint, method, mock_default_user + ): + """Test that GET endpoints work without authentication (with current environment).""" + mock_get_default.return_value = mock_default_user + + if method == "GET": + response = client.get(endpoint) + elif method == "POST": + response = client.post(endpoint, json={}) + + assert mock_get_default.call_count == 1 + + # Should not return 401 Unauthorized (authentication is optional by default) + assert response.status_code != 401 + + # May return other errors due to missing data/config, but not auth errors + if response.status_code >= 400: + # Check that it's not an authentication error + try: + error_detail = response.json().get("detail", "") + assert "authenticate" not in error_detail.lower() + assert "unauthorized" not in error_detail.lower() + except Exception: + pass # If response is not JSON, that's fine + + gsm_mod = importlib.import_module("cognee.modules.settings.get_settings") + + @patch.object(gsm_mod, "get_vectordb_config") + @patch.object(gsm_mod, "get_llm_config") + @patch.object(gau_mod, "get_default_user", new_callable=AsyncMock) + def test_settings_endpoint_integration( + self, mock_get_default, mock_llm_config, mock_vector_config, client, mock_default_user + ): + """Test that settings endpoint integration works with conditional authentication.""" + mock_get_default.return_value = mock_default_user + + # Mock configurations to avoid validation errors + mock_llm_config.return_value = SimpleNamespace( + llm_provider="openai", + llm_model="gpt-4o", + llm_endpoint=None, + llm_api_version=None, + llm_api_key="test_key_1234567890", + ) + + mock_vector_config.return_value = SimpleNamespace( + vector_db_provider="lancedb", + vector_db_url="localhost:5432", # Must be string, not None + vector_db_key="test_vector_key", + ) + + response = client.get("/api/v1/settings") + + assert mock_get_default.call_count == 1 + + # Core test: authentication is not required (should not get 401) + assert response.status_code != 401 + # Note: This test verifies conditional authentication works for settings endpoint + + +class TestConditionalAuthenticationErrorHandling: + """Test error handling in conditional authentication.""" + + @pytest.fixture + def client(self): + return TestClient(app) + + @patch.object(gau_mod, "get_default_user", new_callable=AsyncMock) + def test_get_default_user_fails(self, mock_get_default, client): + """Test behavior when get_default_user fails (with current environment).""" + mock_get_default.side_effect = Exception("Database connection failed") + + # The error should propagate - either as a 500 error or as an exception + files = {"data": ("test.txt", b"test content", "text/plain")} + form_data = {"datasetName": "test_dataset"} + + # Test that the exception is properly converted to HTTP 500 + response = client.post("/api/v1/add", files=files, data=form_data) + + # Should return HTTP 500 Internal Server Error when get_default_user fails + assert response.status_code == 500 + + # Check that the error message is informative + error_detail = response.json().get("detail", "") + assert "Failed to create default user" in error_detail + # The exact error message may vary depending on the actual database connection + # The important thing is that we get a 500 error when user creation fails + + def test_current_environment_configuration(self): + """Test that current environment configuration is working properly.""" + # This tests the actual module state without trying to change it + from cognee.modules.users.methods.get_authenticated_user import ( + REQUIRE_AUTHENTICATION, + ) + + # Should be a boolean value (the parsing logic works) + assert isinstance(REQUIRE_AUTHENTICATION, bool) + + # In default environment, should be False + assert not REQUIRE_AUTHENTICATION diff --git a/cognee/tests/unit/modules/users/__init__.py b/cognee/tests/unit/modules/users/__init__.py new file mode 100644 index 000000000..a5e9995d3 --- /dev/null +++ b/cognee/tests/unit/modules/users/__init__.py @@ -0,0 +1 @@ +# Test package for user module tests diff --git a/cognee/tests/unit/modules/users/test_conditional_authentication.py b/cognee/tests/unit/modules/users/test_conditional_authentication.py new file mode 100644 index 000000000..c4368d796 --- /dev/null +++ b/cognee/tests/unit/modules/users/test_conditional_authentication.py @@ -0,0 +1,277 @@ +import os +import sys +import pytest +from unittest.mock import AsyncMock, patch +from uuid import uuid4 +from types import SimpleNamespace +import importlib + + +from cognee.modules.users.models import User + + +gau_mod = importlib.import_module("cognee.modules.users.methods.get_authenticated_user") + + +class TestConditionalAuthentication: + """Test cases for conditional authentication functionality.""" + + @pytest.mark.asyncio + @patch.object(gau_mod, "get_default_user", new_callable=AsyncMock) + async def test_require_authentication_false_no_token_returns_default_user( + self, mock_get_default + ): + """Test that when REQUIRE_AUTHENTICATION=false and no token, returns default user.""" + # Mock the default user + mock_default_user = SimpleNamespace(id=uuid4(), email="default@example.com", is_active=True) + mock_get_default.return_value = mock_default_user + + # Use gau_mod.get_authenticated_user instead + + # Test with None user (no authentication) + result = await gau_mod.get_authenticated_user(user=None) + + assert result == mock_default_user + mock_get_default.assert_called_once() + + @pytest.mark.asyncio + @patch.object(gau_mod, "get_default_user", new_callable=AsyncMock) + async def test_require_authentication_false_with_valid_user_returns_user( + self, mock_get_default + ): + """Test that when REQUIRE_AUTHENTICATION=false and valid user, returns that user.""" + mock_authenticated_user = User( + id=uuid4(), + email="user@example.com", + hashed_password="hashed", + is_active=True, + is_verified=True, + ) + + # Use gau_mod.get_authenticated_user instead + + # Test with authenticated user + result = await gau_mod.get_authenticated_user(user=mock_authenticated_user) + + assert result == mock_authenticated_user + mock_get_default.assert_not_called() + + @pytest.mark.asyncio + @patch.object(gau_mod, "get_default_user", new_callable=AsyncMock) + async def test_require_authentication_true_with_user_returns_user(self, mock_get_default): + """Test that when REQUIRE_AUTHENTICATION=true and user present, returns user.""" + mock_authenticated_user = User( + id=uuid4(), + email="user@example.com", + hashed_password="hashed", + is_active=True, + is_verified=True, + ) + + # Use gau_mod.get_authenticated_user instead + + result = await gau_mod.get_authenticated_user(user=mock_authenticated_user) + + assert result == mock_authenticated_user + + +class TestConditionalAuthenticationIntegration: + """Integration tests that test the full authentication flow.""" + + @pytest.mark.asyncio + async def test_fastapi_users_dependency_creation(self): + """Test that FastAPI Users dependency can be created correctly.""" + from cognee.modules.users.get_fastapi_users import get_fastapi_users + + fastapi_users = get_fastapi_users() + + # Test that we can create optional dependency + optional_dependency = fastapi_users.current_user(optional=True, active=True) + assert callable(optional_dependency) + + # Test that we can create required dependency + required_dependency = fastapi_users.current_user(active=True) # optional=False by default + assert callable(required_dependency) + + @pytest.mark.asyncio + async def test_conditional_authentication_function_exists(self): + """Test that the conditional authentication function can be imported and used.""" + from cognee.modules.users.methods.get_authenticated_user import ( + get_authenticated_user, + REQUIRE_AUTHENTICATION, + ) + + # Should be callable + assert callable(get_authenticated_user) + + # REQUIRE_AUTHENTICATION should be a boolean + assert isinstance(REQUIRE_AUTHENTICATION, bool) + + # Currently should be False (optional authentication) + assert not REQUIRE_AUTHENTICATION + + +class TestConditionalAuthenticationEnvironmentVariables: + """Test environment variable handling.""" + + def test_require_authentication_default_false(self): + """Test that REQUIRE_AUTHENTICATION defaults to false when imported with no env vars.""" + with patch.dict(os.environ, {}, clear=True): + # Remove module from cache to force fresh import + module_name = "cognee.modules.users.methods.get_authenticated_user" + if module_name in sys.modules: + del sys.modules[module_name] + + # Import after patching environment - module will see empty environment + from cognee.modules.users.methods.get_authenticated_user import ( + REQUIRE_AUTHENTICATION, + ) + + importlib.invalidate_caches() + assert not REQUIRE_AUTHENTICATION + + def test_require_authentication_true(self): + """Test that REQUIRE_AUTHENTICATION=true is parsed correctly when imported.""" + with patch.dict(os.environ, {"REQUIRE_AUTHENTICATION": "true"}): + # Remove module from cache to force fresh import + module_name = "cognee.modules.users.methods.get_authenticated_user" + if module_name in sys.modules: + del sys.modules[module_name] + + # Import after patching environment - module will see REQUIRE_AUTHENTICATION=true + from cognee.modules.users.methods.get_authenticated_user import ( + REQUIRE_AUTHENTICATION, + ) + + assert REQUIRE_AUTHENTICATION + + def test_require_authentication_false_explicit(self): + """Test that REQUIRE_AUTHENTICATION=false is parsed correctly when imported.""" + with patch.dict(os.environ, {"REQUIRE_AUTHENTICATION": "false"}): + # Remove module from cache to force fresh import + module_name = "cognee.modules.users.methods.get_authenticated_user" + if module_name in sys.modules: + del sys.modules[module_name] + + # Import after patching environment - module will see REQUIRE_AUTHENTICATION=false + from cognee.modules.users.methods.get_authenticated_user import ( + REQUIRE_AUTHENTICATION, + ) + + assert not REQUIRE_AUTHENTICATION + + def test_require_authentication_case_insensitive(self): + """Test that environment variable parsing is case insensitive when imported.""" + test_cases = ["TRUE", "True", "tRuE", "FALSE", "False", "fAlSe"] + + for case in test_cases: + with patch.dict(os.environ, {"REQUIRE_AUTHENTICATION": case}): + # Remove module from cache to force fresh import + module_name = "cognee.modules.users.methods.get_authenticated_user" + if module_name in sys.modules: + del sys.modules[module_name] + + # Import after patching environment + from cognee.modules.users.methods.get_authenticated_user import ( + REQUIRE_AUTHENTICATION, + ) + + expected = case.lower() == "true" + assert REQUIRE_AUTHENTICATION == expected, f"Failed for case: {case}" + + def test_current_require_authentication_value(self): + """Test that the current REQUIRE_AUTHENTICATION module value is as expected.""" + from cognee.modules.users.methods.get_authenticated_user import ( + REQUIRE_AUTHENTICATION, + ) + + # The module-level variable should currently be False (set at import time) + assert isinstance(REQUIRE_AUTHENTICATION, bool) + assert not REQUIRE_AUTHENTICATION + + +class TestConditionalAuthenticationEdgeCases: + """Test edge cases and error scenarios.""" + + @pytest.mark.asyncio + @patch.object(gau_mod, "get_default_user", new_callable=AsyncMock) + async def test_get_default_user_raises_exception(self, mock_get_default): + """Test behavior when get_default_user raises an exception.""" + mock_get_default.side_effect = Exception("Database error") + + # This should propagate the exception + with pytest.raises(Exception, match="Database error"): + await gau_mod.get_authenticated_user(user=None) + + @pytest.mark.asyncio + @patch.object(gau_mod, "get_default_user", new_callable=AsyncMock) + async def test_user_type_consistency(self, mock_get_default): + """Test that the function always returns the same type.""" + mock_user = User( + id=uuid4(), + email="test@example.com", + hashed_password="hashed", + is_active=True, + is_verified=True, + ) + + mock_default_user = SimpleNamespace(id=uuid4(), email="default@example.com", is_active=True) + mock_get_default.return_value = mock_default_user + + # Test with user + result1 = await gau_mod.get_authenticated_user(user=mock_user) + assert result1 == mock_user + + # Test with None + result2 = await gau_mod.get_authenticated_user(user=None) + assert result2 == mock_default_user + + # Both should have user-like interface + assert hasattr(result1, "id") + assert hasattr(result1, "email") + assert result1.id == mock_user.id + assert result1.email == mock_user.email + assert hasattr(result2, "id") + assert hasattr(result2, "email") + assert result2.id == mock_default_user.id + assert result2.email == mock_default_user.email + + +@pytest.mark.asyncio +class TestAuthenticationScenarios: + """Test specific authentication scenarios that could occur in FastAPI Users.""" + + @patch.object(gau_mod, "get_default_user", new_callable=AsyncMock) + async def test_fallback_to_default_user_scenarios(self, mock_get_default): + """ + Test fallback to default user for all scenarios where FastAPI Users returns None: + - No JWT/Cookie present + - Invalid JWT/Cookie + - Valid JWT but user doesn't exist in database + - Valid JWT but user is inactive (active=True requirement) + + All these scenarios result in FastAPI Users returning None when optional=True, + which should trigger fallback to default user. + """ + mock_default_user = SimpleNamespace(id=uuid4(), email="default@example.com") + mock_get_default.return_value = mock_default_user + + # All the above scenarios result in user=None being passed to our function + result = await gau_mod.get_authenticated_user(user=None) + assert result == mock_default_user + mock_get_default.assert_called_once() + + async def test_scenario_valid_active_user(self): + """Scenario: Valid JWT and user exists and is active → returns the user.""" + mock_user = User( + id=uuid4(), + email="active@example.com", + hashed_password="hashed", + is_active=True, + is_verified=True, + ) + + # Use gau_mod.get_authenticated_user instead + + result = await gau_mod.get_authenticated_user(user=mock_user) + assert result == mock_user