refactor(auth): drop redundant session_enabled field

olivermeyer · claude · olivermeyer · commit e7effd2d95b0 · 2026-04-29T15:03:59.000+02:00
Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/README.md b/README.md
@@ -217,8 +217,7 @@ activates several cross-field requirements. Only needed when using
 | Variable | Required | Default | Description |
 |---|---|---|---|
 | `{PREFIX}AUTH_ENABLED` | no | `false` | Enable Auth0 authentication. When `true`, several other fields become required. |
-| `{PREFIX}AUTH_SESSION_ENABLED` | when enabled | `false` | Enable session cookies. Required when `AUTH_ENABLED=true`. |
-| `{PREFIX}AUTH_SESSION_SECRET` | when session enabled | `""` | Secret to sign session cookies. Required when `AUTH_SESSION_ENABLED=true`. |
+| `{PREFIX}AUTH_SESSION_SECRET` | when enabled | `""` | Secret to sign session cookies. Required when `AUTH_ENABLED=true`. |
 | `{PREFIX}AUTH_SESSION_EXPIRATION` | no | `86400` | Session cookie expiration in seconds (range: 61–31536000). |
 | `{PREFIX}AUTH_DOMAIN` | when enabled | `""` | Auth0 domain (e.g. `myapp.eu.auth0.com`). Required when `AUTH_ENABLED=true`. |
 | `{PREFIX}AUTH_CLIENT_ID` | when enabled | `""` | Auth0 client ID (max 32 chars). Required when `AUTH_ENABLED=true`. |
diff --git a/src/aignostics_foundry_core/api/auth.py b/src/aignostics_foundry_core/api/auth.py
@@ -41,7 +41,6 @@ class AuthSettings(OpaqueSettings):
 
     Fields:
         enabled: Enable Auth0 authentication (AUTH_ENABLED).
-        session_enabled: Enable session cookies (AUTH_SESSION_ENABLED).
         session_secret: Secret used to sign session cookies (AUTH_SESSION_SECRET).
         session_expiration: Session cookie expiration in seconds (AUTH_SESSION_EXPIRATION).
         domain: Auth0 domain (AUTH_DOMAIN).
@@ -51,16 +50,13 @@ class AuthSettings(OpaqueSettings):
         role_claim: JWT claim name containing the user's role (AUTH_ROLE_CLAIM).
 
     Cross-field rules (validated after field assignment):
-        - enabled=True requires session_enabled=True
-        - session_enabled=True requires session_secret not None
-        - enabled=True requires client_secret not None, non-empty domain, client_id,
-          internal_org_id, and role_claim
+        - enabled=True requires session_secret not None, client_secret not None,
+          non-empty domain, client_id, internal_org_id, and role_claim
     """
 
     model_config = SettingsConfigDict(extra="ignore")
 
     enabled: bool = Field(default=False)
-    session_enabled: bool = Field(default=False)
     session_secret: Annotated[
         SecretStr | None,
         PlainSerializer(func=OpaqueSettings.serialize_sensitive_info, return_type=str, when_used="always"),
@@ -90,11 +86,8 @@ def validate_auth_dependencies(self) -> "AuthSettings":
         Raises:
             ValueError: If any cross-field dependency is violated.
         """
-        if self.enabled and not self.session_enabled:
-            msg = "AUTH_SESSION_ENABLED must be True when AUTH_ENABLED is True"
-            raise ValueError(msg)
-        if self.session_enabled and self.session_secret is None:
-            msg = "AUTH_SESSION_SECRET must not be None when AUTH_SESSION_ENABLED is True"
+        if self.enabled and self.session_secret is None:
+            msg = "AUTH_SESSION_SECRET must not be None when AUTH_ENABLED is True"
             raise ValueError(msg)
         if self.enabled and self.client_secret is None:
             msg = "AUTH_CLIENT_SECRET must not be None when AUTH_ENABLED is True"
diff --git a/tests/aignostics_foundry_core/api/auth_test.py b/tests/aignostics_foundry_core/api/auth_test.py
@@ -92,7 +92,6 @@ def test_auth_settings_defaults(self) -> None:
         """AuthSettings has correct defaults when no env vars are set."""
         settings = AuthSettings()
         assert settings.enabled is False
-        assert settings.session_enabled is False
         assert not settings.internal_org_id
         assert not settings.role_claim
         assert not settings.domain
@@ -111,22 +110,16 @@ def test_auth_settings_uses_context_env_prefix(self, monkeypatch: pytest.MonkeyP
         settings = AuthSettings()
         assert settings.role_claim == "https://custom/role"
 
-    def test_enabled_requires_session_enabled(self) -> None:
-        """enabled=True with session_enabled=False raises ValidationError."""
+    def test_enabled_requires_session_secret(self) -> None:
+        """enabled=True with session_secret=None raises ValidationError."""
         with pytest.raises(pydantic.ValidationError):
-            AuthSettings(enabled=True, session_enabled=False)
-
-    def test_session_enabled_requires_session_secret(self) -> None:
-        """session_enabled=True with session_secret=None raises ValidationError."""
-        with pytest.raises(pydantic.ValidationError):
-            AuthSettings(session_enabled=True, session_secret=None)
+            AuthSettings(enabled=True, session_secret=None)
 
     def test_enabled_requires_client_secret(self) -> None:
         """enabled=True with client_secret=None raises ValidationError."""
         with pytest.raises(pydantic.ValidationError):
             AuthSettings(
                 enabled=True,
-                session_enabled=True,
                 session_secret=_TEST_SESSION_SECRET,
                 client_secret=None,
             )
@@ -136,7 +129,6 @@ def test_enabled_requires_non_empty_domain(self) -> None:
         with pytest.raises(pydantic.ValidationError):
             AuthSettings(
                 enabled=True,
-                session_enabled=True,
                 session_secret=_TEST_SESSION_SECRET,
                 client_secret=_TEST_CLIENT_SECRET,
                 domain="",
@@ -147,7 +139,6 @@ def test_enabled_requires_non_empty_client_id(self) -> None:
         with pytest.raises(pydantic.ValidationError):
             AuthSettings(
                 enabled=True,
-                session_enabled=True,
                 session_secret=_TEST_SESSION_SECRET,
                 client_secret=_TEST_CLIENT_SECRET,
                 domain=_TEST_DOMAIN,
@@ -159,7 +150,6 @@ def test_enabled_requires_non_empty_internal_org_id(self) -> None:
         with pytest.raises(pydantic.ValidationError):
             AuthSettings(
                 enabled=True,
-                session_enabled=True,
                 session_secret=_TEST_SESSION_SECRET,
                 client_secret=_TEST_CLIENT_SECRET,
                 domain=_TEST_DOMAIN,
@@ -172,7 +162,6 @@ def test_enabled_requires_non_empty_role_claim(self) -> None:
         with pytest.raises(pydantic.ValidationError):
             AuthSettings(
                 enabled=True,
-                session_enabled=True,
                 session_secret=_TEST_SESSION_SECRET,
                 client_secret=_TEST_CLIENT_SECRET,
                 domain=_TEST_DOMAIN,
