fix(auth): remove incorrect request parameter from OAuth method calls

[BrandtKruger]

Fixed a critical bug where framework implementations were passing a request parameter to OAuth.is_authenticated() and OAuth.get_user_info() methods that don't accept any parameters beyond self.

Issue:

• FastAPI and Flask framework routes were calling these methods with request
• Methods were designed to get user context internally via framework.get_user_id()
• This caused "takes 1 positional argument but 2 were given" errors
• Authentication checks always failed, breaking the /user endpoint

Changes:

• kinde_fastapi/framework/fastapi_framework.py: Removed request parameter from is_authenticated() and get_user_info() calls in auto-registered routes
• kinde_flask/framework/flask_framework.py: Removed request parameter from is_authenticated() and get_user_info() calls in auto-registered routes
• kinde_sdk/auth/oauth.py: Updated docstrings to remove misleading documentation about non-existent request parameter

Impact:

• Fixes authentication checks for all FastAPI and Flask applications
• /user endpoint now works correctly
• No breaking changes - methods never used the parameter that was being passed
• All dependent features (permissions, claims, feature flags) unaffected

Resolves client-reported issue where authentication always showed as "not authenticated" and /user endpoint threw exceptions.

Explain your changes

Suppose there is a related issue with enough detail for a reviewer to understand your changes fully. In that case, you can omit an explanation and instead include either “Fixes #XX” or “Updates #XX” where “XX” is the issue number.

Checklist

• I have read the “Pull requests” section in the contributing guidelines.
• I agree to the terms within the code of conduct.

🛟 If you need help, consider asking for advice over in the Kinde community.

[coderabbitai]

Walkthrough

Removed the request parameter from OAuth methods (is_authenticated, get_user_info) and updated FastAPI and Flask framework handlers to call these methods without passing the request; cleaned unused imports and docstrings; added unit tests validating the new method signatures.

Changes

Cohort / File(s)	Change Summary
FastAPI integration kinde_fastapi/framework/fastapi_framework.py	Removed request parameter from nested helper and public route signatures (get_current_user, register, get_user); updated calls to is_authenticated() and get_user_info() to omit request; removed unused typing and Depends import; added runtime import check (_ = fastapi).
Flask integration kinde_flask/framework/flask_framework.py	Updated endpoint to call OAuth.is_authenticated() and OAuth.get_user_info() without request; removed unused imports (threading, logging, flask_session); adjusted typing imports (TYPE_CHECKING).
Core OAuth module kinde_sdk/auth/oauth.py	Cleaned imports (removed asyncio, extra typing, unused helpers); removed docstring Args describing a request parameter for is_authenticated and get_user_info; no control-flow changes.
Tests testv2/testv2_auth/test_oauth.py	Added tests asserting is_authenticated and get_user_info have no parameters and raise TypeError when extra args are passed; added inspect and Mock usage and OpenID config mocking.

Sequence Diagram(s)

sequenceDiagram
    participant FastAPI as FastAPI handler
    participant Flask as Flask handler
    participant OAuth as OAuth module

    rect rgb(240,248,255)
    Note over FastAPI,OAuth: Updated flow — no request object passed
    FastAPI->>OAuth: is_authenticated()
    OAuth-->>FastAPI: bool (authenticated?)
    alt not authenticated
        FastAPI->>OAuth: login flow (redirect/init)
    end
    FastAPI->>OAuth: get_user_info()
    OAuth-->>FastAPI: user info
    end

Loading

sequenceDiagram
    participant Flask as Flask handler
    participant OAuth as OAuth module

    rect rgb(240,248,255)
    Note over Flask,OAuth: Updated flow — no request object passed
    Flask->>OAuth: is_authenticated()
    OAuth-->>Flask: bool
    alt not authenticated
        Flask->>OAuth: login flow (redirect/init)
    end
    Flask->>OAuth: get_user_info()
    OAuth-->>Flask: user info
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Areas to check:
  • All call sites across the repo invoking is_authenticated / get_user_info updated to the no-argument form.
  • FastAPI/Flask handlers for any implicit reliance on Request or request-scoped context previously passed into OAuth methods.
  • Test coverage and mocks correctly reflect new signatures and behavior; ensure no lingering tests that pass a request.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: removing incorrect request parameters from OAuth method calls in framework implementations.
Description check	✅ Passed	The description is clearly related to the changeset, providing context about the bug, affected files, and impact of the changes.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[brettchaldecott]

Look like it will fix the problem

[DanielRivers]

Can we add some tests to cover this? params have been removed and all tests are still passing unchanged, need to make sure this is covered

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

kinde_fastapi/framework/fastapi_framework.py (2)

122-128: Consider removing unused helper function.

The get_current_user() helper is defined but never invoked in the codebase. This appears to be dead code that can be removed.

Would you like me to verify whether this function is used elsewhere in the codebase, or help generate a diff to remove it?

---

243-248: Minor: Consider alternative to no-op assignment.

The _ = fastapi assignment works but could be more explicit. Consider alternatives like checking a module attribute instead.

Apply this diff for a clearer intent:

     try:
         import fastapi
-        _ = fastapi  # Import check only
+        return hasattr(fastapi, '__version__')
-        return True
     except ImportError:
         return False

Alternatively, keep the current approach if you prefer simplicity—both work fine.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 33cfbce and 0c25024.

📒 Files selected for processing (4)

• kinde_fastapi/framework/fastapi_framework.py (4 hunks)
• kinde_flask/framework/flask_framework.py (4 hunks)
• kinde_sdk/auth/oauth.py (1 hunks)
• testv2/testv2_auth/test_oauth_method_signatures.py (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• kinde_sdk/auth/oauth.py
• kinde_flask/framework/flask_framework.py

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-07-03T09:38:46.175Z

Learnt from: brettchaldecott
Repo: kinde-oss/kinde-python-sdk PR: 83
File: kinde_flask/examples/example_app.py:25-44
Timestamp: 2025-07-03T09:38:46.175Z
Learning: The kinde_flask framework automatically creates and registers standard OAuth routes (/login, /logout, /callback, /register, /user) at runtime when the OAuth instance is initialized with a Flask app. These routes do not need to be manually defined in application code.

Applied to files:

• kinde_fastapi/framework/fastapi_framework.py

🧬 Code graph analysis (2)

testv2/testv2_auth/test_oauth_method_signatures.py (3)

kinde_sdk/auth/oauth.py (3)

• OAuth (23-634)
• is_authenticated (124-141)
• get_user_info (143-173)

kinde_fastapi/framework/fastapi_framework.py (5)

• start (54-67)
• stop (69-75)
• get_user_id (96-106)
• FastAPIFramework (17-248)
• get_name (36-43)

kinde_flask/framework/flask_framework.py (5)

• start (58-71)
• stop (73-79)
• get_user_id (100-110)
• get_name (40-47)
• FlaskFramework (14-262)

kinde_fastapi/framework/fastapi_framework.py (2)

kinde_sdk/auth/oauth.py (4)

• is_authenticated (124-141)
• get_user_info (143-173)
• register (374-418)
• login (333-372)

kinde_fastapi/storage/fastapi_storage.py (1)

• get (20-36)

🪛 Ruff (0.14.3)

testv2/testv2_auth/test_oauth_method_signatures.py

38-38: Unused method argument: mock_storage_factory

(ARG002)

---

38-38: Unused method argument: mock_framework_factory

(ARG002)

---

55-55: Unused method argument: mock_storage_factory

(ARG002)

---

55-55: Unused method argument: mock_framework_factory

(ARG002)

---

212-212: Unused method argument: mock_middleware

(ARG002)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: unittest (3.13)
• GitHub Check: unittest (3.9)
• GitHub Check: unittest (3.12)
• GitHub Check: unittest (3.11)
• GitHub Check: unittest (3.10)

🔇 Additional comments (8)

kinde_fastapi/framework/fastapi_framework.py (3)

1-2: LGTM! Import cleanup aligns with usage.

The removal of unused imports (Dict, Any from typing and Depends from fastapi) is correct. The code no longer uses these types, and Request is appropriately retained for routes that access the request object.

---

224-226: LGTM! Correctly removed unused parameter.

The request parameter was never used in this route handler, and OAuth.register() doesn't accept it. The removal is correct and aligns with the method signature in oauth.py.

---

230-234: LGTM! This fixes the core authentication bug.

The removal of the request parameter from both the route signature and the OAuth method calls directly addresses the reported issue. The OAuth methods is_authenticated() and get_user_info() retrieve user context internally via framework.get_user_id() and don't require a request parameter.

testv2/testv2_auth/test_oauth_method_signatures.py (5)

1-34: LGTM! Well-structured test setup.

The test module has a clear purpose statement, appropriate imports, and proper setup/teardown with environment variable mocking. This directly addresses the reviewer request for test coverage of the parameter fix.

---

38-68: LGTM! Signature validation prevents regression.

These tests use inspect.signature to verify that is_authenticated() and get_user_info() accept no parameters beyond self, directly preventing the regression of the bug where frameworks incorrectly passed request parameters.

Note: The static analysis warnings about unused mock_storage_factory and mock_framework_factory parameters are false positives—these are injected by the @patch decorators and required in the signature.

---

73-133: LGTM! Functional tests validate parameterless invocation.

These tests verify that the methods can be successfully invoked without parameters and exhibit correct behavior. The comprehensive mocking (framework, storage, OpenID config) ensures the tests accurately simulate the runtime environment.

---

138-201: LGTM! Parameter rejection tests ensure bug detection.

These tests verify that passing extra parameters raises TypeError with a clear error message. This is crucial for catching regressions—if someone mistakenly adds back the request parameter in framework code, these tests will immediately fail.

---

204-294: LGTM! Integration tests validate end-to-end fix.

These integration tests verify that OAuth initialization and route registration complete successfully for both FastAPI and Flask frameworks. By ensuring no TypeError is raised during route registration, they confirm the parameter fix works in the actual framework context.

Note: The static analysis warning about unused mock_middleware is a false positive—it's injected by the @patch decorator.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0c25024 and 0bfad20.

📒 Files selected for processing (2)

• testv2/testv2_auth/test_framework_route_handlers.py (1 hunks)
• testv2/testv2_auth/test_oauth_method_fix.py (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-07-03T09:38:46.175Z

Learnt from: brettchaldecott
Repo: kinde-oss/kinde-python-sdk PR: 83
File: kinde_flask/examples/example_app.py:25-44
Timestamp: 2025-07-03T09:38:46.175Z
Learning: The kinde_flask framework automatically creates and registers standard OAuth routes (/login, /logout, /callback, /register, /user) at runtime when the OAuth instance is initialized with a Flask app. These routes do not need to be manually defined in application code.

Applied to files:

• testv2/testv2_auth/test_framework_route_handlers.py

🧬 Code graph analysis (2)

testv2/testv2_auth/test_framework_route_handlers.py (1)

kinde_sdk/auth/oauth.py (2)

• OAuth (23-634)
• get_user_info (143-173)

testv2/testv2_auth/test_oauth_method_fix.py (1)

kinde_sdk/auth/oauth.py (2)

• OAuth (23-634)
• get_user_info (143-173)

🪛 Ruff (0.14.3)

testv2/testv2_auth/test_framework_route_handlers.py

37-37: Unused method argument: mock_storage_factory

(ARG002)

---

93-93: Unused method argument: mock_storage_factory

(ARG002)

---

150-150: Unused method argument: mock_storage_factory

(ARG002)

---

223-223: Unused method argument: mock_storage_factory

(ARG002)

---

253-253: Possible hardcoded password assigned to: "secret_key"

(S105)

---

270-270: Unused method argument: mock_storage_factory

(ARG002)

---

300-300: Possible hardcoded password assigned to: "secret_key"

(S105)

testv2/testv2_auth/test_oauth_method_fix.py

40-40: Unused method argument: mock_framework_factory

(ARG002)

---

40-40: Unused method argument: mock_storage_factory

(ARG002)

---

56-56: Unused method argument: mock_framework_factory

(ARG002)

---

56-56: Unused method argument: mock_storage_factory

(ARG002)

---

73-73: Unused method argument: mock_framework_factory

(ARG002)

---

73-73: Unused method argument: mock_storage_factory

(ARG002)

---

103-103: Unused method argument: mock_framework_factory

(ARG002)

---

103-103: Unused method argument: mock_storage_factory

(ARG002)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: unittest (3.12)
• GitHub Check: unittest (3.13)
• GitHub Check: unittest (3.10)
• GitHub Check: unittest (3.9)
• GitHub Check: unittest (3.11)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

testv2/testv2_auth/test_oauth_method_fix.py (3)

18-18: Remove unused import.

KindeConfigurationException is imported but never used in this test file.

Apply this diff:

 from kinde_sdk.auth.oauth import OAuth
-from kinde_sdk.core.exceptions import KindeConfigurationException

---

38-92: Previous critical issue resolved; consider extracting duplicate mock setup.

The requests.get patch is now in place for both tests, which resolves the critical issue flagged in the previous review.

However, the OpenID configuration mock setup (lines 48-56 and 76-84) is duplicated. Consider extracting this to a helper method or fixture to reduce duplication.

Note: Static analysis warnings about unused mock_framework_factory and mock_storage_factory are false positives—these parameters are required by the @patch decorators to prevent actual factory instantiation during OAuth construction.

Example refactor using a helper method:

def _create_mock_openid_response(self):
    """Helper to create mock OpenID configuration response."""
    mock_response = Mock()
    mock_response.status_code = 200
    mock_response.json = Mock(return_value={
        'authorization_endpoint': 'https://test.kinde.com/oauth2/auth',
        'token_endpoint': 'https://test.kinde.com/oauth2/token',
        'end_session_endpoint': 'https://test.kinde.com/logout',
        'userinfo_endpoint': 'https://test.kinde.com/oauth2/userinfo'
    })
    return mock_response

@patch('kinde_sdk.auth.oauth.requests.get')
@patch('kinde_sdk.auth.oauth.StorageFactory')
@patch('kinde_sdk.auth.oauth.FrameworkFactory')
def test_is_authenticated_signature_has_no_parameters(self, mock_framework_factory, mock_storage_factory, mock_get):
    """..."""
    mock_get.return_value = self._create_mock_openid_response()
    # rest of test...

---

94-152: Good regression coverage; same duplication opportunity.

These tests provide valuable regression protection by ensuring TypeError is raised when extra parameters are passed, directly addressing the PR objective to prevent the bug from being reintroduced.

The same mock setup duplication noted in lines 38-92 also applies here (lines 105-113 and 135-143). The helper method suggestion from the previous comment would eliminate this duplication as well.

Note: The static analysis warnings about unused mock parameters are false positives for the same reason.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0bfad20 and fb0792b.

📒 Files selected for processing (1)

• testv2/testv2_auth/test_oauth_method_fix.py (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

testv2/testv2_auth/test_oauth_method_fix.py (1)

kinde_sdk/auth/oauth.py (2)

• OAuth (23-634)
• get_user_info (143-173)

🪛 Ruff (0.14.3)

testv2/testv2_auth/test_oauth_method_fix.py

41-41: Unused method argument: mock_framework_factory

(ARG002)

---

41-41: Unused method argument: mock_storage_factory

(ARG002)

---

69-69: Unused method argument: mock_framework_factory

(ARG002)

---

69-69: Unused method argument: mock_storage_factory

(ARG002)

---

97-97: Unused method argument: mock_framework_factory

(ARG002)

---

97-97: Unused method argument: mock_storage_factory

(ARG002)

---

127-127: Unused method argument: mock_framework_factory

(ARG002)

---

127-127: Unused method argument: mock_storage_factory

(ARG002)

🔇 Additional comments (2)

testv2/testv2_auth/test_oauth_method_fix.py (2)

21-36: LGTM!

The test setup and teardown correctly manage environment variable patching for OAuth configuration.

---

154-157: LGTM!

Standard unittest runner for direct execution.

[BrandtKruger]

Can we add some tests to cover this? params have been removed and all tests are still passing unchanged, need to make sure this is covered

Tests added.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fb0792b and 6453968.

📒 Files selected for processing (1)

• testv2/testv2_auth/test_oauth.py (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

testv2/testv2_auth/test_oauth.py (2)

kinde_sdk/auth/oauth.py (3)

• OAuth (23-634)
• is_authenticated (124-141)
• get_user_info (143-173)

kinde_sdk/auth/user_session.py (1)

• is_authenticated (130-146)

🪛 GitHub Actions: CI

testv2/testv2_auth/test_oauth.py

[error] 1-1: Step 'pytest --cov=kinde_sdk --cov-branch --cov-report=xml' failed due to timeout. Test 'TestOAuthExtended.test_is_authenticated_rejects_extra_parameters' timed out (pytest-timeout). Investigate potential blocking operations or increase timeout.

🪛 Ruff (0.14.4)

testv2/testv2_auth/test_oauth.py

142-142: Unused method argument: mock_framework_factory

(ARG002)

---

142-142: Unused method argument: mock_storage_factory

(ARG002)

---

177-177: Unused method argument: mock_framework_factory

(ARG002)

---

177-177: Unused method argument: mock_storage_factory

(ARG002)

---

212-212: Unused method argument: mock_framework_factory

(ARG002)

---

212-212: Unused method argument: mock_storage_factory

(ARG002)

---

248-248: Unused method argument: mock_framework_factory

(ARG002)

---

248-248: Unused method argument: mock_storage_factory

(ARG002)

🔇 Additional comments (3)

testv2/testv2_auth/test_oauth.py (3)

6-7: LGTM!

The new imports are appropriate for the signature verification tests.

---

133-167: LGTM!

The signature inspection test correctly verifies that is_authenticated() accepts no parameters beyond self. The unused mock parameters flagged by static analysis are intentionally present to prevent side effects during OAuth initialization.

---

168-202: LGTM!

The signature inspection test correctly verifies that get_user_info() accepts no parameters beyond self.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

testv2/testv2_auth/test_oauth.py (1)

134-294: Consider extracting shared mock setup to reduce duplication.

All four tests share identical mock setup patterns (environment variables, factory configuration, OpenID config mocking). Extracting this to a setUp method or helper function would improve maintainability.

Example refactor:

class TestOAuthMethodSignatures(unittest.TestCase):
    """Test OAuth method signatures to verify the fix for incorrect request parameter passing."""
    
    def _setup_oauth_mocks(self, mock_get, mock_framework_factory, mock_storage_factory):
        """Helper to configure OAuth mocks consistently."""
        # Mock OpenID configuration
        mock_response = Mock()
        mock_response.status_code = 200
        mock_response.json = Mock(return_value={
            'authorization_endpoint': 'https://test.kinde.com/oauth2/auth',
            'token_endpoint': 'https://test.kinde.com/oauth2/token',
            'end_session_endpoint': 'https://test.kinde.com/logout',
            'userinfo_endpoint': 'https://test.kinde.com/oauth2/userinfo'
        })
        mock_get.return_value = mock_response
        
        # Configure factory mocks
        mock_storage_factory.create_storage.return_value = MagicMock()
        mock_framework_factory.create_framework.return_value = None
        
        return OAuth(framework=None)

Then use it in each test:

@patch.dict('os.environ', {...})
@patch('kinde_sdk.auth.oauth.requests.get')
@patch('kinde_sdk.auth.oauth.StorageFactory')
@patch('kinde_sdk.auth.oauth.FrameworkFactory')
def test_is_authenticated_signature_has_no_parameters(self, mock_framework_factory, mock_storage_factory, mock_get):
    oauth = self._setup_oauth_mocks(mock_get, mock_framework_factory, mock_storage_factory)
    sig = inspect.signature(oauth.is_authenticated)
    # ... rest of test

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6453968 and 403fb65.

📒 Files selected for processing (1)

• testv2/testv2_auth/test_oauth.py (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

testv2/testv2_auth/test_oauth.py (2)

kinde_sdk/auth/oauth.py (2)

• is_authenticated (124-141)
• get_user_info (143-173)

kinde_sdk/auth/user_session.py (1)

• is_authenticated (130-146)

🔇 Additional comments (5)

testv2/testv2_auth/test_oauth.py (5)

6-7: LGTM!

The new imports (inspect for signature inspection and Mock for HTTP response mocking) are appropriate for the test requirements.

---

146-174: Good regression test with proper mock configuration.

This test correctly validates that is_authenticated() accepts no parameters beyond self, which prevents the bug where FastAPI/Flask were passing a request parameter. The factory mock configuration at lines 164-166 addresses the timeout concern from past reviews.

---

185-213: LGTM!

This test correctly validates that get_user_info() accepts no parameters beyond self, with proper factory mock configuration to prevent initialization issues.

---

224-253: Past review concern addressed.

The factory mock configuration at lines 242-244 correctly resolves the timeout issue flagged in past reviews. The test effectively prevents regression by ensuring TypeError is raised when extra parameters are passed.

---

264-293: Past review concern addressed.

The factory mock configuration at lines 282-284 resolves the timeout concern from past reviews. The test correctly validates that get_user_info() rejects extra parameters with a TypeError.