fix(api): guard get_user against non-dict session

[olivermeyer]

get_user should return None when the Auth0 session is not a dict.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

Files with missing lines	Coverage Δ
src/aignostics_foundry_core/api/auth.py	100.00% <100.00%> (ø)

[claude]

Claude finished @olivermeyer's task in 1m 56s —— View job

---

Code Review Complete ✓

Summary

The PR successfully guards get_user against non-dict session values. The implementation is sound and test coverage is excellent (100%). However, there's one suggestion for improved observability.

---

Review Feedback

Suggestions

1. Add logging for non-dict session case

Location: src/aignostics_foundry_core/api/auth.py:309

Issue: When require_session returns a non-dict value, the code silently sets raw_user = None. This is a more serious condition than just a missing user key—it indicates the Auth0 library returned an unexpected type, which could signal a library bug or integration issue.

Current code:

raw_user: dict | None = session.get("user") if isinstance(session, dict) else None  # type: ignore[reportUnknownVariableType]

Suggestion: Add logging when session is not a dict:

if not isinstance(session, dict):
    msg = f"Session is not a dict (got {type(session).__name__})"
    logger.critical(msg)
    raw_user = None
else:
    raw_user = session.get("user")

Why: This improves observability and helps diagnose Auth0 integration issues. The existing code already logs at critical level for similar validation failures (line 312), so this would be consistent.

Fix this →

---

What Works Well

✅ Defensive programming: The isinstance(session, dict) guard prevents AttributeError when Auth0 returns unexpected types
✅ Test coverage: 100% coverage on new code with a dedicated test case
✅ Consistent error handling: Returns None for invalid session, matching existing patterns
✅ Conventional commits: Commit message follows the project's standards
✅ Type safety: Type annotations help document the expected types

---

Technical Analysis

Changed Logic

The PR modifies get_user() to handle the case where auth_client.require_session() returns a non-dict value:

Before: Assumed session was always dict[str, Any], would raise AttributeError on session.get("user")
After: Guards with isinstance(session, dict) before calling .get(), returns None for non-dict

Test Coverage

The new test (test_get_user_returns_none_when_session_is_not_a_dict) properly:

• Mocks require_session to return "not-a-dict"
• Verifies get_user returns None
• Uses @pytest.mark.integration marker (required by project standards)

Security & Performance

• ✅ No security concerns
• ✅ No performance impact
• ✅ No breaking changes

---

Verdict

Recommendation: Approve with the logging suggestion implemented.

The core fix is correct and well-tested. Adding logging for the non-dict case would improve observability without changing the behavior. Since this is a suggestion rather than a blocking issue, the PR could be merged as-is if you prefer, though I strongly recommend adding the logging.

---

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud