endpoints/connectors/agent: fix exception with invalid auth type (#22943)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

authentik/endpoints/connectors/agent/api/connectors.py

@@ -7,7 +7,7 @@ from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_sche
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.fields import ChoiceField
-from rest_framework.permissions import AllowAny, IsAuthenticated
+from rest_framework.permissions import IsAuthenticated
 from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -118,8 +118,7 @@ class AgentConnectorViewSet(
         methods=["POST"],
         detail=False,
         authentication_classes=[AgentEnrollmentAuth],
-        # Permissions are handled via AgentEnrollmentAuth
-        permission_classes=[AllowAny],
+        permission_classes=[IsAuthenticated],
     )
     def enroll(self, request: Request):
         token: EnrollmentToken = request.auth
@@ -154,8 +153,7 @@ class AgentConnectorViewSet(
         methods=["GET"],
         detail=False,
         authentication_classes=[AgentAuth],
-        # Permissions are handled via AgentAuth
-        permission_classes=[AllowAny],
+        permission_classes=[IsAuthenticated],
     )
     def agent_config(self, request: Request):
         token: DeviceToken = request.auth
@@ -174,8 +172,7 @@ class AgentConnectorViewSet(
         methods=["POST"],
         detail=False,
         authentication_classes=[AgentAuth],
-        # Permissions are handled via AgentAuth
-        permission_classes=[AllowAny],
+        permission_classes=[IsAuthenticated],
     )
     def check_in(self, request: Request):
         token: DeviceToken = request.auth

authentik/endpoints/connectors/agent/tests/test_agent_api.py

@@ -124,6 +124,14 @@ class TestAgentAPI(APITestCase):
         )
         self.assertEqual(response.status_code, 403)
 
+    @reconcile_app("authentik_crypto")
+    def test_config_none(self):
+        response = self.client.get(
+            reverse("authentik_api:agentconnector-agent-config"),
+            HTTP_AUTHORIZATION="Bearer foo",
+        )
+        self.assertEqual(response.status_code, 403)
+
     def test_check_in(self):
         response = self.client.post(
             reverse("authentik_api:agentconnector-check-in"),

schema.yml

@@ -5386,8 +5386,6 @@ paths:
         using this object
       tags:
       - endpoints
-      security:
-      - {}
       responses:
         '200':
           content:
@@ -5457,8 +5455,6 @@ paths:
           application/json:
             schema:
               $ref: '#/components/schemas/DeviceFactsRequest'
-      security:
-      - {}
       responses:
         '204':
           description: Successfully checked in
@@ -5479,8 +5475,6 @@ paths:
             schema:
               $ref: '#/components/schemas/EnrollRequest'
         required: true
-      security:
-      - {}
       responses:
         '200':
           content: