feat(api): retire legacy /v1/* and /console/api device-flow mounts (Phase F)

Web and CLI consumers now hit /openapi/v1/* directly, so the dual-mount shims can go: - controllers/oauth_device_sso.py (legacy /v1/oauth/device/sso-* + /v1/device/sso-complete) - controllers/service_api/oauth.py (legacy /v1/oauth/device/*, /v1/me, /v1/oauth/authorizations/self) - controllers/console/auth/oauth_device.py (placeholder for legacy /console/api/oauth/device/{approve,deny}) - the deferred _register_legacy_console_mount() inside openapi/oauth_device.py Imports in controllers/console/__init__.py, controllers/service_api/__init__.py, and extensions/ext_blueprints.py pruned. Tests rewritten to openapi-only.
2026-05-21 09:17:27 +08:00 · 2026-04-27 00:45:10 -07:00
parent eb5ef3dba5
commit 0b3b0b5ce8
15 changed files with 105 additions and 364 deletions
--- a/api/tests/unit_tests/controllers/openapi/test_device_code.py
+++ b/api/tests/unit_tests/controllers/openapi/test_device_code.py
@ -1,10 +1,8 @@
-"""Phase B step 6: POST /openapi/v1/oauth/device/code is the canonical
-RFC 8628 device authorization endpoint. The legacy /v1/oauth/device/code
-mount stays until Phase F; both paths must dispatch to the same class.
+"""POST /openapi/v1/oauth/device/code is the canonical RFC 8628 device
+authorization endpoint.

-Tests verify URL routing and re-registration without invoking the
-handler — invoking would require Redis, which the unit-test runtime
-does not initialise.
+Tests verify URL routing without invoking the handler — invoking would
+require Redis, which the unit-test runtime does not initialise.
 """
 import builtins

@ -14,65 +12,36 @@ from flask.views import MethodView

 from controllers.openapi import bp as openapi_bp
 from controllers.openapi.oauth_device import OAuthDeviceCodeApi
-from controllers.service_api import bp as service_api_bp

 if not hasattr(builtins, "MethodView"):
    builtins.MethodView = MethodView  # type: ignore[attr-defined]


@pytest.fixture
-def dual_app() -> Flask:
-    """Both blueprints registered, mirroring production layout."""
+def openapi_app() -> Flask:
    app = Flask(__name__)
    app.config["TESTING"] = True
-    app.register_blueprint(service_api_bp)
    app.register_blueprint(openapi_bp)
    return app


-def test_openapi_route_registered(dual_app: Flask):
-    rules = {r.rule for r in dual_app.url_map.iter_rules()}
+def test_openapi_route_registered(openapi_app: Flask):
+    rules = {r.rule for r in openapi_app.url_map.iter_rules()}
    assert "/openapi/v1/oauth/device/code" in rules


-def test_legacy_v1_route_still_registered(dual_app: Flask):
-    """service_api/oauth.py re-registers the lifted class on /v1/."""
-    rules = {r.rule for r in dual_app.url_map.iter_rules()}
-    assert "/v1/oauth/device/code" in rules
-
-
-def test_both_paths_dispatch_to_same_class(dual_app: Flask):
-    """Single source of truth — no duplicated handler logic."""
-    new = next(
-        r for r in dual_app.url_map.iter_rules() if r.rule == "/openapi/v1/oauth/device/code"
+def test_route_dispatches_to_class(openapi_app: Flask):
+    rule = next(
+        r for r in openapi_app.url_map.iter_rules() if r.rule == "/openapi/v1/oauth/device/code"
    )
-    legacy = next(
-        r for r in dual_app.url_map.iter_rules() if r.rule == "/v1/oauth/device/code"
+    assert openapi_app.view_functions[rule.endpoint].view_class is OAuthDeviceCodeApi
+
+
+def test_route_accepts_post(openapi_app: Flask):
+    rule = next(
+        r for r in openapi_app.url_map.iter_rules() if r.rule == "/openapi/v1/oauth/device/code"
    )
-
-    new_view = dual_app.view_functions[new.endpoint]
-    legacy_view = dual_app.view_functions[legacy.endpoint]
-    # Flask-RESTX wraps Resource classes in a `view_class` attribute.
-    assert new_view.view_class is OAuthDeviceCodeApi
-    assert legacy_view.view_class is OAuthDeviceCodeApi
-
-
-def test_route_accepts_post_and_options(dual_app: Flask):
-    new = next(
-        r for r in dual_app.url_map.iter_rules() if r.rule == "/openapi/v1/oauth/device/code"
-    )
-    legacy = next(
-        r for r in dual_app.url_map.iter_rules() if r.rule == "/v1/oauth/device/code"
-    )
-    assert "POST" in new.methods
-    assert "POST" in legacy.methods
-
-
-def test_handler_class_imports_match():
-    """service_api re-uses the openapi class, not a copy."""
-    from controllers.service_api import oauth as service_api_oauth
-
-    assert service_api_oauth.OAuthDeviceCodeApi is OAuthDeviceCodeApi
+    assert "POST" in rule.methods


 def test_known_client_ids_default_includes_difyctl():