fix: tenant access to endpoints leading to access the base wallet (#3545

) * Fixing tenant endpoint access --------- Signed-off-by: Thiago Romano <thiagoromano.s@gmail.com>
openwallet-foundation · Feb 28, 2025 · a4dec2c · a4dec2c
1 parent 3057c0e
commit a4dec2c
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/acapy_agent/admin/decorators/auth.py b/acapy_agent/admin/decorators/auth.py
@@ -78,7 +78,7 @@ async def tenant_auth(request):
             (multitenant_enabled and authorization_header)
             or (not multitenant_enabled and valid_key)
             or (multitenant_enabled and valid_key and base_wallet_allowed_route)
-            or insecure_mode
+            or (insecure_mode and not multitenant_enabled)
             or request.method == "OPTIONS"
         ):
             return await handler(request)

diff --git a/acapy_agent/admin/tests/test_auth.py b/acapy_agent/admin/tests/test_auth.py
@@ -86,11 +86,11 @@ async def test_options_request(self):
         await decor_func(self.request)
         self.decorated_handler.assert_called_once_with(self.request)
 
-    async def test_insecure_mode(self):
+    async def test_insecure_mode_witout_token(self):
         self.profile.settings["admin.admin_insecure_mode"] = True
         decor_func = tenant_authentication(self.decorated_handler)
-        await decor_func(self.request)
-        self.decorated_handler.assert_called_once_with(self.request)
+        with self.assertRaises(web.HTTPUnauthorized):
+            await decor_func(self.request)
 
     async def test_single_tenant_invalid_api_key(self):
         self.profile.settings["multitenant.enabled"] = False