Fix bug with public data network.

Author: matteius

FLEXIBLE_AUTH_README.md

@@ -89,13 +89,18 @@ All historical data endpoints now support both authentication methods:
 
 ## Authentication Flow
 
-### Device API Key Flow
+### Public Device Flow (No Authentication Required)
+1. System checks if the requested device is marked as public (`private_data=False`)
+2. If public, data is returned immediately without authentication
+3. This preserves the original behavior for public devices
+
+### Private Device - API Key Flow
 1. User provides API key in `X-API-Key` header
 2. System validates API key exists in database
 3. System checks if API key is authorized for requested device
 4. If authorized, data is returned
 
-### Fief Token Flow (with caching)
+### Private Device - Fief Token Flow (with caching)
 1. User provides token in `Authorization: Bearer` header
 2. System checks Redis cache for token validation
 3. If cache miss, validates with Fief server and caches result

opensensor/collection_apis.py

@@ -34,7 +34,7 @@
 from opensensor.users import (
     AuthInfo,
     User,
-    flexible_auth,
+    flexible_auth_optional,
     migration_complete,
     validate_device_access_flexible,
     validate_environment,
@@ -653,7 +653,7 @@ def sample_and_paginate_collection(
 
 def create_historical_data_route(entity: Type[T]):
     async def historical_data_route(
-        auth_info: AuthInfo = Depends(flexible_auth),
+        auth_info: Optional[AuthInfo] = Depends(flexible_auth_optional),
         device_id: str = Path(
             title="The ID of the device chain for which to retrieve historical data."
         ),
@@ -664,10 +664,11 @@ async def historical_data_route(
         size: int = Query(50, ge=1, le=1000, description="Page size"),
         unit: str | None = Query(None, description="Unit"),
     ) -> Page[T]:
-        # Use flexible authentication validation
+        # Use flexible authentication validation (handles public devices)
         if not validate_device_access_flexible(auth_info, device_id):
-            auth_type = auth_info.auth_type
-            if auth_type == "fief":
+            if auth_info is None:
+                detail = f"Device {device_id} is private and requires authentication"
+            elif auth_info.auth_type == "fief":
                 detail = f"User is not authorized to access device {device_id}"
             else:
                 detail = f"API key is not authorized to access device {device_id}"

opensensor/users.py

@@ -531,6 +531,50 @@ class AuthInfo(BaseModel):
     api_key_info: Optional[APIKey] = None
 
 
+def is_device_public(device_id: str) -> bool:
+    """
+    Check if a device is public (doesn't require authentication).
+    """
+    device_id_part, device_name = get_device_parts(device_id)
+    api_keys, owner = get_api_keys_by_device_id(device_id)
+
+    if len(api_keys) == 0:
+        # No API keys found - device doesn't exist or is not configured
+        return False
+
+    # Check if any API key for this device is marked as public (private_data=False)
+    for api_key in api_keys:
+        if api_key.device_id == device_id_part and api_key.device_name == device_name:
+            if not api_key.private_data:
+                return True
+
+    return False
+
+
+async def flexible_auth_optional(
+    fief_user: Optional[FiefUserInfo] = Depends(get_cached_fief_user_optional()),
+    api_key: Optional[str] = Header(None, alias="X-API-Key"),
+) -> Optional[AuthInfo]:
+    """
+    Optional flexible authentication that accepts either Fief tokens or device API keys.
+    Returns None if no authentication is provided (for public device access).
+    """
+    if fief_user:
+        # Fief token authentication (now cached)
+        return AuthInfo(auth_type="fief", fief_user=fief_user)
+    elif api_key:
+        # API key authentication
+        user_and_key = get_user_by_api_key(api_key)
+        if user_and_key is None:
+            raise HTTPException(status_code=403, detail="Invalid API key")
+
+        user, api_key_info = user_and_key
+        return AuthInfo(auth_type="api_key", user=user, api_key_info=api_key_info)
+    else:
+        # No authentication provided - this is OK for public devices
+        return None
+
+
 async def flexible_auth(
     fief_user: Optional[FiefUserInfo] = Depends(get_cached_fief_user_optional()),
     api_key: Optional[str] = Header(None, alias="X-API-Key"),
@@ -554,10 +598,19 @@ async def flexible_auth(
         raise HTTPException(status_code=401, detail="Authentication required")
 
 
-def validate_device_access_flexible(auth_info: AuthInfo, device_id: str) -> bool:
+def validate_device_access_flexible(auth_info: Optional[AuthInfo], device_id: str) -> bool:
     """
     Validate device access for flexible authentication.
+    Handles public devices (no auth required) and private devices (auth required).
     """
+    # First check if the device is public
+    if is_device_public(device_id):
+        return True
+
+    # Device is private, authentication is required
+    if auth_info is None:
+        return False
+
     if auth_info.auth_type == "fief":
         # Use existing Fief-based validation
         return device_id_is_allowed_for_user(device_id, user=auth_info.fief_user)