<# AZA – Diagnose: Are auth env vars actually present in the running container? This script: - Reads deploy\.env (MEDWORK_API_TOKENS / MEDWORK_API_TOKEN) - Finds running docker compose containers from deploy\docker-compose.yml - For each container: checks whether MEDWORK_API_TOKENS / MEDWORK_API_TOKEN are set INSIDE, and prints only lengths (no token values). Run from deploy\: powershell -ExecutionPolicy Bypass -File .\diagnose_auth_env.ps1 #> [CmdletBinding()] param( [string]$ComposeFile = ".\docker-compose.yml", [string]$EnvFile = ".\.env" ) function Load-DotEnv([string]$Path) { if (-not (Test-Path -LiteralPath $Path)) { throw "Missing .env file at: $Path" } $map = @{} Get-Content -LiteralPath $Path | ForEach-Object { $line = $_.Trim() if ($line.Length -eq 0) { return } if ($line.StartsWith("#")) { return } $idx = $line.IndexOf("=") if ($idx -lt 1) { return } $k = $line.Substring(0, $idx).Trim() $v = $line.Substring($idx + 1).Trim() if (($v.StartsWith('"') -and $v.EndsWith('"')) -or ($v.StartsWith("'") -and $v.EndsWith("'"))) { $v = $v.Substring(1, $v.Length - 2) } $map[$k] = $v } return $map } function All-TokensFromValue([string]$value) { if (-not $value) { return @() } $value = $value.Trim() return ($value -split "[,\r\n]+" | ForEach-Object { $_.Trim() } | Where-Object { $_ -ne "" }) } function HostTokenSummary([hashtable]$envMap) { $src = "" $tokens = @() if ($envMap.ContainsKey("MEDWORK_API_TOKENS")) { $src = "MEDWORK_API_TOKENS" $tokens = All-TokensFromValue $envMap["MEDWORK_API_TOKENS"] } elseif ($envMap.ContainsKey("MEDWORK_API_TOKEN")) { $src = "MEDWORK_API_TOKEN" $tokens = All-TokensFromValue $envMap["MEDWORK_API_TOKEN"] } $firstLen = if ($tokens.Count -gt 0) { $tokens[0].Length } else { 0 } return @{ src=$src; count=$tokens.Count; firstLen=$firstLen } } if (-not (Test-Path -LiteralPath $ComposeFile)) { Write-Host "❌ Missing compose file: $ComposeFile" exit 1 } try { $envMap = Load-DotEnv $EnvFile } catch { Write-Host "❌ $($_.Exception.Message)" exit 1 } $hostSummary = HostTokenSummary $envMap Write-Host "[AZA] Diagnose auth env" Write-Host " Host .env: $EnvFile" Write-Host " TokenSrc: $($hostSummary.src)" Write-Host " Tokens: $($hostSummary.count)" Write-Host " TokenLen: $($hostSummary.firstLen) (first token length only)" Write-Host "" Write-Host "Checking docker compose containers..." try { $cids = & docker compose -f $ComposeFile ps -q 2>$null } catch { Write-Host "❌ docker compose failed. Is Docker running?" exit 1 } if (-not $cids -or $cids.Count -lt 1) { Write-Host "⚠ No running compose containers found for $ComposeFile" Write-Host " Trying to find ANY docker container exposing port 8000..." $portCids = @() try { $portCids = & docker ps --filter "publish=8000" --format "{{.ID}}" 2>$null } catch { } if ($portCids -and $portCids.Count -gt 0) { Write-Host " Found container(s) publishing port 8000:" $cids = $portCids } else { Write-Host "❌ No docker container publishing port 8000 found." Write-Host " This strongly suggests your backend at http://127.0.0.1:8000 is running OUTSIDE docker (e.g. uvicorn)." Write-Host "" Write-Host "Next step will be a targeted authorized test against the running backend mode:" Write-Host " - If docker: ensure env vars are wired into the container" Write-Host " - If local: ensure the process is started with MEDWORK_API_TOKENS / MEDWORK_API_TOKEN" exit 1 } } foreach ($cid in $cids) { $cid = $cid.Trim() if (-not $cid) { continue } $name = (& docker ps --format "{{.Names}}" --filter "id=$cid" 2>$null | Select-Object -First 1).Trim() if (-not $name) { $name = $cid } # Inside-container checks: ONLY lengths + set/unset flags, never print values. $cmd = @" sh -lc ' set -e if [ -n "${MEDWORK_API_TOKENS:-}" ]; then echo "TOKENS_SET=1"; else echo "TOKENS_SET=0"; fi if [ -n "${MEDWORK_API_TOKEN:-}" ]; then echo "TOKEN_SET=1"; else echo "TOKEN_SET=0"; fi echo "LEN_TOKENS=${#MEDWORK_API_TOKENS}" echo "LEN_TOKEN=${#MEDWORK_API_TOKEN}" ' "@ Write-Host "Container: $name" try { $out = & docker exec $cid $cmd 2>$null $out | ForEach-Object { Write-Host " $_" } } catch { Write-Host " ❌ docker exec failed (container might not have sh)." } Write-Host "" } Write-Host "Interpretation:" Write-Host " - If TOKENS_SET=0 and TOKEN_SET=0 => container did not receive auth env vars => will 401." Write-Host " - If LEN_* are non-zero but don't match your expectation => you're likely testing the wrong container/env." exit 0