From 71c759efce7884b5048b110012587a6419f3b8c0 Mon Sep 17 00:00:00 2001
From: alpakalee <tjwns1400@gmail.com>
Date: Thu, 14 May 2026 02:30:15 +0900
Subject: [PATCH] fix: correct decorator order in prompt-service so
 auth_required is enforced
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Python applies decorators bottom-up. Placing @auth_required above @route
caused Flask to register the raw handler function — the auth wrapper was
never invoked on incoming requests. Swap the order in all three affected
controllers so the authenticated wrapper is what Flask stores in its URL map.

Affected files:
- controllers/extraction.py (POST /extract)
- controllers/indexing.py   (POST /index)
- controllers/answer_prompt.py (POST /answer-prompt)
---
 .../src/unstract/prompt_service/controllers/answer_prompt.py    | 2 +-
 .../src/unstract/prompt_service/controllers/extraction.py       | 2 +-
 .../src/unstract/prompt_service/controllers/indexing.py         | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/prompt-service/src/unstract/prompt_service/controllers/answer_prompt.py b/prompt-service/src/unstract/prompt_service/controllers/answer_prompt.py
index fdf0deaae1..cb47c415a7 100644
--- a/prompt-service/src/unstract/prompt_service/controllers/answer_prompt.py
+++ b/prompt-service/src/unstract/prompt_service/controllers/answer_prompt.py
@@ -34,8 +34,8 @@
 answer_prompt_bp = Blueprint("answer-prompt", __name__)
 
 
-@AuthHelper.auth_required
 @answer_prompt_bp.route("/answer-prompt", methods=["POST"])
+@AuthHelper.auth_required
 def prompt_processor() -> Any:
     platform_key = AuthHelper.get_token_from_auth_header(request)
     payload: dict[Any, Any] = request.json
diff --git a/prompt-service/src/unstract/prompt_service/controllers/extraction.py b/prompt-service/src/unstract/prompt_service/controllers/extraction.py
index 516894f429..2749018b9b 100644
--- a/prompt-service/src/unstract/prompt_service/controllers/extraction.py
+++ b/prompt-service/src/unstract/prompt_service/controllers/extraction.py
@@ -18,8 +18,8 @@
 ]
 
 
-@AuthHelper.auth_required
 @extraction_bp.route("/extract", methods=["POST"])
+@AuthHelper.auth_required
 def extract() -> Any:
     platform_key = AuthHelper.get_token_from_auth_header(request)
     payload: dict[Any, Any] = request.json
diff --git a/prompt-service/src/unstract/prompt_service/controllers/indexing.py b/prompt-service/src/unstract/prompt_service/controllers/indexing.py
index f9416a9c92..f412e4fbeb 100644
--- a/prompt-service/src/unstract/prompt_service/controllers/indexing.py
+++ b/prompt-service/src/unstract/prompt_service/controllers/indexing.py
@@ -32,8 +32,8 @@
 ]
 
 
-@AuthHelper.auth_required
 @indexing_bp.route("/index", methods=["POST"])
+@AuthHelper.auth_required
 def index() -> Any:
     """Endpoint for indexing documents into the vector database.