fix: default RESOURCE_SERVER__URL to None to restore standalone auth

[kaiokmo]

After we merged this [1], all user-facing API access to EDA must go
through the AAP gateway when deployed as part of the platform.

However, RESOURCE_SERVER__URL defaults to "https://localhost", which
causes the JWT-only authentication override in default.py to fire unconditionally.
This breaks session-based UI login for standalone deployments.

Setting the default to None ensures SessionAuthentication is preserved unless
RESOURCE_SERVER__URL is explicitly configured, which only happens when
deployed behind the AAP Gateway.

The reason this didn't break any development scenarios, "task docker:up" or similar
is because docker-compose-dev.yaml sets EDA_MODE=development, which loads
up development_defaults.py instead, which then sets RESOURCE_SERVER["URL"] to
None by default.

[1] #1495

Summary by CodeRabbit

• Chores
  • Default resource server URL is now unset by default instead of using a localhost value.
  • This prevents accidental local connections and requires explicit configuration for external resource servers, making deployments safer and configuration behavior more predictable.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.82%. Comparing base (5cae5d5) to head (ef0c29d).

@@            Coverage Diff             @@
##             main    #1503      +/-   ##
==========================================
- Coverage   91.83%   91.82%   -0.01%     
==========================================
  Files         237      237              
  Lines       10482    10482              
==========================================
- Hits         9626     9625       -1     
- Misses        856      857       +1     

Flag	Coverage Δ
unit-int-tests-3.11	91.82% <100.00%> (-0.01%)	⬇️
unit-int-tests-3.12	91.82% <100.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
src/aap_eda/settings/defaults.py	100.00% <100.00%> (ø)

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[kaiokmo]

/run-e2e

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1e18ec67-046b-4420-9b65-f0d677a99bd9

📥 Commits

Reviewing files that changed from the base of the PR and between 7954689 and ef0c29d.

📒 Files selected for processing (1)

• src/aap_eda/settings/defaults.py

---

📝 Walkthrough

Walkthrough

Modifies the default value of the RESOURCE_SERVER__URL setting in src/aap_eda/settings/defaults.py from the string "https://localhost" to None; the declared type remains Optional[str].

Changes

Cohort / File(s)	Summary
Configuration Settings src/aap_eda/settings/defaults.py	Changed RESOURCE_SERVER__URL default from "https://localhost" to None (type remains Optional[str]).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: setting the default RESOURCE_SERVER__URL to None to restore standalone authentication behavior.
Description check	✅ Passed	The description addresses all required sections: it explains what changed, why it was needed, how it fixes the issue, and mentions no new dependencies or blockers.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-default-resource-server-url

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can get early access to new features in CodeRabbit.

Enable the early_access setting to enable early access features such as new models, tools, and more.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/aap_eda/settings/defaults.py`:
- Line 196: The signal handler gw_handler and the event_stream API view
instantiate SyncCertificates without guarding against
settings.RESOURCE_SERVER["URL"] being None; either add early guards in those
call sites to skip creating SyncCertificates when
settings.RESOURCE_SERVER.get("URL") is falsy (i.e., return/skip sync) or add a
defensive check in SyncCertificates.__init__ that validates
settings.RESOURCE_SERVER.get("URL") and raises a clear ValueError. Update
gw_handler (sync_certs.py) and the event_stream view (event_stream.py) to check
settings.RESOURCE_SERVER.get("URL") before calling SyncCertificates, or
implement the check inside SyncCertificates.__init__ (and adjust call sites to
handle the exception) so urljoin(self.gateway_url, ...) cannot receive None.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 61ba66c6-80d4-4cbc-9446-7a7bbf9831b1

📥 Commits

Reviewing files that changed from the base of the PR and between 0e2b0ae and 7954689.

📒 Files selected for processing (1)

• src/aap_eda/settings/defaults.py

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== SyncCerts implementation (URL usage) =="
fd 'sync_certs.py$' --exec sed -n '1,260p' {}

echo
echo "== SyncCerts instantiations with context =="
rg -nP --type=py -C4 '\bSyncCerts\s*\('

echo
echo "== RESOURCE_SERVER URL guards with context =="
rg -nP --type=py -C3 'RESOURCE_SERVER\["URL"\]'

echo
echo "== URL composition sites that can fail on None =="
rg -nP --type=py -C3 'urljoin\s*\(\s*self\.gateway_url\s*,|f"\{settings\.RESOURCE_SERVER\["URL"\]'

Repository: ansible/eda-server

Length of output: 18410

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Finding gw_handler signal registration =="
rg -nP --type=py 'gw_handler|post_save.*EdaCredential' -B2 -A2

echo
echo "== All SyncCertificates instantiations in production code =="
rg -nP --type=py 'SyncCertificates\s*\(' --glob='!test*.py' --glob='!*/tests/*' -B3 -A1

echo
echo "== Checking RESOURCE_SERVER["URL"] guards in production =="
rg -nP --type=py 'if.*RESOURCE_SERVER\["URL"\]|RESOURCE_SERVER\["URL"\]\s*and' --glob='!test*.py' --glob='!*/tests/*' -B2 -A2

Repository: ansible/eda-server

Length of output: 7725

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== Full gw_handler implementation =="
sed -n '286,320p' src/aap_eda/services/sync_certs.py

echo
echo "== event_stream.py instantiation context =="
sed -n '355,375p' src/aap_eda/api/views/event_stream.py

echo
echo "== Checking if RESOURCE_SERVER["URL"] is checked anywhere before signal handler calls =="
rg -nP --type=py 'if.*RESOURCE_SERVER' --glob='!test*.py' --glob='!*/tests/*' -B1 -A1

Repository: ansible/eda-server

Length of output: 2618

---

Both SyncCertificates call paths lack guards for None URL and will fail at runtime

With RESOURCE_SERVER__URL now defaulting to None, the signal handler in gw_handler() (line 302 of sync_certs.py) and the API view in event_stream.py (line 363) will both instantiate SyncCertificates without checking whether settings.RESOURCE_SERVER["URL"] is set. Line 42 assigns directly: self.gateway_url: str = settings.RESOURCE_SERVER["URL"], and later calls like urljoin(self.gateway_url, slug) (lines 125, 133, 227, 241) will raise TypeError when gateway_url is None.

Add a guard in both call sites to skip sync when settings.RESOURCE_SERVER.get("URL") is falsy, or add a check in SyncCertificates.__init__ to raise a clearer error.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/aap_eda/settings/defaults.py` at line 196, The signal handler gw_handler
and the event_stream API view instantiate SyncCertificates without guarding
against settings.RESOURCE_SERVER["URL"] being None; either add early guards in
those call sites to skip creating SyncCertificates when
settings.RESOURCE_SERVER.get("URL") is falsy (i.e., return/skip sync) or add a
defensive check in SyncCertificates.__init__ that validates
settings.RESOURCE_SERVER.get("URL") and raises a clear ValueError. Update
gw_handler (sync_certs.py) and the event_stream view (event_stream.py) to check
settings.RESOURCE_SERVER.get("URL") before calling SyncCertificates, or
implement the check inside SyncCertificates.__init__ (and adjust call sites to
handle the exception) so urljoin(self.gateway_url, ...) cannot receive None.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[kaiokmo]

I'm closing this PR in favor of ansible/eda-server-operator#331