401 Unauthorized After Login (DEV Only)

[ahmedomosanya]

Summary

After logging out and logging back in, API calls to /v2/user/{userId} and /v2/project/{projectId} fail with 401 Unauthorized. A manual page refresh resolves the issue.

Steps to Reproduce

1. Navigate to: https://easycla.dev.communitybridge.org/#/cla/project/01af041c-fa69-4052-a23c-fb8c1d3bef24/user/7e4ef073-60d2-4e38-a2bd-d75a4f093a9a?redirect=https://github.com/mlehotskylf-org2/easycla-dev/pull/45
2. Log in via Auth0
3. Log out (click avatar → logout)
4. Log back in
5. Observe: Network tab shows 401 Unauthorized on /v2/user/... request
6. Manually refresh the page
7. Observe: Request now succeeds with 200 OK

Root Cause

Commit d526eebba (April 7, 2026) added an authentication requirement to the /v2/user/{user_id} Python API endpoint:

 @hug.get("/user/{user_id}", versions=2)
-def get_user(user_id: hug.types.uuid):
+def get_user(auth_user: check_auth, user_id: hug.types.uuid):

This change exists only in dev branch and has not been deployed to production, which is why the issue cannot be reproduced in PROD.

Why the 401 Occurs

1. User completes Auth0 login and is redirected back to the app
2. The frontend immediately calls /v2/user/{userId} to fetch user details
3. At this moment, the Auth0 token may not yet be fully available in the HTTP interceptor
4. The request is sent without a valid Bearer token → 401 Unauthorized
5. On manual refresh, the token is ready → request succeeds

Impact

• DEV: Affected
• PROD: Not affected (yet)
• When deployed to PROD: Will affect production users