LCORE-757: Fixed 403 error descriptions for queries and feedback

[asimurka]

Description

Fixed 403 error descriptions for queries, updated openapi doc.

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Related Tickets & Documents

• Related Issue # LCORE-757
• Closes #

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

Release Notes

• New Features

  • Added v2 query endpoint for enhanced API capabilities.

• Documentation

  • Updated authorization error messages across query endpoints for improved clarity.
  • Consolidated API schema definitions for simplified integration.
  • Refined API documentation to reflect current endpoint behaviors.

[coderabbitai]

Walkthrough

The PR updates the OpenAPI specification with a new /v2/query endpoint, consolidates authentication/authorization schemas by removing legacy input/output variants, standardizes authorization error messages across endpoints, removes a 400 response from the feedback PUT handler, and refines endpoint descriptions to reflect updated API wrapper semantics.

Changes

Cohort / File(s)	Summary
OpenAPI Specification Update docs/openapi.json	Added new /v2/query endpoint with query_v2 tag and dedicated request/response structures; introduced consolidated public schemas (AuthenticationConfiguration, AuthorizationConfiguration, JwkConfiguration, JwtConfiguration) replacing legacy input/output variants; generalized authorization error messages from "User is not authorized" to "Client does not have permission to access conversation"; updated Configuration schema references to use new public schemas; refined endpoint descriptions for /v1/query and /v1/streaming_query.
Authorization Error Message Standardization src/app/endpoints/query.py, src/app/endpoints/query_v2.py, src/app/endpoints/streaming_query.py	Updated 403 response descriptions across query endpoints to use standardized "Client does not have permission to access conversation" message.
Feedback Endpoint Response Schema src/app/endpoints/feedback.py	Removed 400 error response entry from feedback_put_response mapping; retained 200, 401, 403, and 5xx responses.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• OpenAPI schema consolidation: Verify that removal of legacy input/output schema variants and introduction of consolidated public schemas maintains backward compatibility and doesn't break client code generation or existing API consumers.
• New v2 endpoint integration: Confirm that /v2/query endpoint is correctly wired, response structures align with implementation, and operationId references are accurate.
• Feedback PUT response removal: Ensure that removing the 400 response is intentional and doesn't mask client validation errors that should be surfaced.

Possibly related PRs

• Update OpenAPI docs #468: Modifies the feedback/status API surface and accompanying OpenAPI/endpoint declarations for the feedback endpoint.
• Regenerated OpenAPI spec + doc #451: Introduces or renames authorization-related schemas (AuthorizationConfiguration) and adjusts authentication/JWT-related configuration references.
• LCORE-759: Updated response dicts for feedback endpoints #715: Directly modifies the feedback endpoint response mappings in src/app/endpoints/feedback.py for the PUT route with conflicting changes to the 400 response entry.

Suggested reviewers

• tisnik

Poem

🐰 New schemas emerge, old variants retire,
v2 query ascends, authorization messages respire,
Feedback's 400 bids adieu with grace,
Standardized errors find their rightful place! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the primary changes: updating 403 error descriptions across query, streaming_query, and feedback endpoints, plus comprehensive OpenAPI documentation updates.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/openapi.json (1)

1536-1587: Update documentation to reference new AuthenticationConfiguration and AuthorizationConfiguration schema names.

The old "-Input/Output" suffixed schema names are still referenced in documentation files and must be updated to match the renamed schemas in openapi.json:

• docs/openapi.md (lines 699, 714, 729, 740)
• docs/output.md (lines 699, 714, 729, 740)

Remove or rename sections referencing AuthenticationConfiguration-Input, AuthenticationConfiguration-Output, AuthorizationConfiguration-Input, and AuthorizationConfiguration-Output to use the new consolidated schema names.

🧹 Nitpick comments (1)

docs/openapi.json (1)

1202-1278: New /v2/query: docs and code must match mount and auth surface.

Docs add /v2/query with 400/403/500/422; no 401. In code, the v2 handler mirrors v1; ensure router mount under /v2 (see separate script) and decide if 401 should be documented for parity with k8s auth as in /v1/streaming_query.

Use the earlier script to check router mount; if k8s auth applies to v2, consider adding a 401 response here as well.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4f39c33 and a133b77.

📒 Files selected for processing (5)

• docs/openapi.json (14 hunks)
• src/app/endpoints/feedback.py (0 hunks)
• src/app/endpoints/query.py (1 hunks)
• src/app/endpoints/query_v2.py (1 hunks)
• src/app/endpoints/streaming_query.py (1 hunks)

💤 Files with no reviewable changes (1)

• src/app/endpoints/feedback.py

🧰 Additional context used

📓 Path-based instructions (5)

src/**/*.py

📄 CodeRabbit inference engine (CLAUDE.md)

Use absolute imports for internal modules (e.g., from auth import get_auth_dependency)

Files:

• src/app/endpoints/query_v2.py
• src/app/endpoints/streaming_query.py
• src/app/endpoints/query.py

src/app/**/*.py

📄 CodeRabbit inference engine (CLAUDE.md)

Use standard FastAPI imports (from fastapi import APIRouter, HTTPException, Request, status, Depends) in FastAPI app code

Files:

• src/app/endpoints/query_v2.py
• src/app/endpoints/streaming_query.py
• src/app/endpoints/query.py

**/*.py

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.py: All modules start with descriptive module-level docstrings explaining purpose
Use logger = logging.getLogger(name) for module logging after import logging
Define type aliases at module level for clarity
All functions require docstrings with brief descriptions
Provide complete type annotations for all function parameters and return types
Use typing_extensions.Self in model validators where appropriate
Use modern union syntax (str | int) and Optional[T] or T | None consistently
Function names use snake_case with descriptive, action-oriented prefixes (get_, validate_, check_)
Avoid in-place parameter modification; return new data structures instead of mutating arguments
Use appropriate logging levels: debug, info, warning, error with clear messages
All classes require descriptive docstrings explaining purpose
Class names use PascalCase with conventional suffixes (Configuration, Error/Exception, Resolver, Interface)
Abstract base classes should use abc.ABC and @AbstractMethod for interfaces
Provide complete type annotations for all class attributes
Follow Google Python docstring style for modules, classes, and functions, including Args, Returns, Raises, Attributes sections as needed

Files:

• src/app/endpoints/query_v2.py
• src/app/endpoints/streaming_query.py
• src/app/endpoints/query.py

src/{app/**/*.py,client.py}

📄 CodeRabbit inference engine (CLAUDE.md)

Use async def for I/O-bound operations and external API calls

Files:

• src/app/endpoints/query_v2.py
• src/app/endpoints/streaming_query.py
• src/app/endpoints/query.py

src/app/endpoints/**/*.py

📄 CodeRabbit inference engine (CLAUDE.md)

In API endpoints, raise FastAPI HTTPException with appropriate status codes for error handling

Files:

• src/app/endpoints/query_v2.py
• src/app/endpoints/streaming_query.py
• src/app/endpoints/query.py

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build-pr
• GitHub Check: e2e_tests (ci)
• GitHub Check: e2e_tests (azure)

🔇 Additional comments (8)

src/app/endpoints/streaming_query.py (1)

103-106: 403 description update aligns with runtime error detail.

Matches the HTTPException message when ownership fails. No functional changes.

src/app/endpoints/query.py (1)

85-88: Consistent 403 wording across query endpoints.

Good alignment; no behavioral impact.

src/app/endpoints/query_v2.py (2)

58-61: 403 description standardized.

Matches v1 endpoints.

---

277-301: No issues found. The code is correctly configured.

All verification checks confirm the implementation is sound:

• ✓ Router is properly mounted at /v2 prefix (routers.py line 47: app.include_router(query_v2.router, prefix="/v2"))
• ✓ Error message "Client does not have permission to access conversation" is consistent across query endpoints
• ✓ No stale "User is not authorized" messages appear under query endpoints (only under /authorized)
• ✓ Helper functions retrieve_response and get_topic_summary are correctly defined as async functions

docs/openapi.json (4)

327-337: v1/query docs: description + 403 text look good.

Matches code in src/app/endpoints/query.py and standardizes the 403 message.

If not already, ensure the generated OpenAPI in CI comes from the running app to avoid drift.

Also applies to: 369-377

---

454-463: v1/streaming_query 403 message aligned.

Consistent with src/app/endpoints/streaming_query.py.

---

2750-2768: Schema structure verified; no config loading concerns.

The OpenAPI schema aligns with the Python implementation. JwkConfiguration correctly nests JwtConfiguration (matching the $ref in the schema), and Pydantic validators already handle the nested structure. No manual env parsing or config loaders require updates—the code is already using the nested paths without issues.

---

632-642: PUT /v1/feedback/status handler properly implements 401/403 responses as documented.

The implementation matches the documentation: feedback_put_response dict (line 52 of src/app/endpoints/feedback.py) includes both 401 and 403 responses. The @authorize(Action.ADMIN) decorator raises HTTP 403 when authorization check fails, and the authentication layer raises HTTP 401 for missing/invalid credentials. No action required.

[tisnik]

LGTM

[tisnik]

/ok-to-test

[tisnik]

/ok-to-test