fix(api): guard get_user against non-dict session

olivermeyer · olivermeyer · commit 6828e28b3602 · 2026-04-02T15:36:11.000+02:00
diff --git a/ATTRIBUTIONS.md b/ATTRIBUTIONS.md
@@ -360,7 +360,7 @@ SOFTWARE.
 
 ```
 
-## aignostics-foundry-core (0.6.2) - MIT License
+## aignostics-foundry-core (0.7.0) - MIT License
 
 🏭 Foundational infrastructure for Foundry components.
 
diff --git a/src/aignostics_foundry_core/api/auth.py b/src/aignostics_foundry_core/api/auth.py
@@ -300,13 +300,13 @@ async def me(user: Annotated[dict[str, Any], Depends(get_user)]):
 
     try:
         auth_client = get_auth_client(request)
-        session: dict[str, Any] = await auth_client.require_session(request, Response())  # pyright: ignore[reportAttributeAccessIssue, reportUnknownMemberType, reportUnknownVariableType]
+        session: dict = await auth_client.require_session(request, Response())  # type: ignore[reportUnknownVariableType]
     except Exception:  # noqa: BLE001
         msg = "No session found"
         logger.debug(msg)
         return None
 
-    raw_user = session.get("user")
+    raw_user: dict | None = session.get("user") if isinstance(session, dict) else None  # type: ignore[reportUnknownVariableType]
     if not raw_user or not isinstance(raw_user, dict):
         msg = "Failed to retrieve user information from session"
         logger.critical(msg)
diff --git a/tests/aignostics_foundry_core/api/auth_test.py b/tests/aignostics_foundry_core/api/auth_test.py
@@ -168,6 +168,18 @@ async def test_get_user_returns_none_when_exp_claim_missing(self) -> None:
 
         assert result is None
 
+    async def test_get_user_returns_none_when_session_is_not_a_dict(self) -> None:
+        """get_user returns None when require_session returns a non-dict value."""
+        request = MagicMock()
+        cookie = "fake-cookie"
+        fake_client = MagicMock()
+        fake_client.require_session = AsyncMock(return_value="not-a-dict")
+        request.app.state.auth_client = fake_client
+
+        result = await get_user(request, cookie)
+
+        assert result is None
+
     async def test_get_user_returns_user_for_valid_session(self) -> None:
         """get_user returns the user dict when the session is valid and not expired."""
         request = MagicMock()
