Fix tag obfuscation for anonymous users

- get_show_private_tags() now checks plugin's header_modifications,
  not just actual HTTP headers. This fixes anonymous users getting
  tag_count: 0 instead of obfuscated tags.
- Only recognize 'tags-private' header (not bare 'private') to align
  with config regex.
- Fix variable naming bug in should_obfuscate_private_tags().
- Add regression test to catch this issue.
- Update unit tests for new behavior.

Author: Tommel71

gsrest/builtin/plugins/obfuscate_tags/obfuscate_tags.py

@@ -28,7 +28,7 @@
 )
 
 GROUPS_HEADER_NAME = "X-Consumer-Groups"
-NO_OBFUSCATION_MARKER_PATTERN = re.compile(r"(private|tags-private)")
+NO_OBFUSCATION_MARKER_PATTERN = re.compile(r"tags-private")
 OBFUSCATION_MARKER_GROUP = "obfuscate"
 
 

gsrest/dependencies.py

@@ -257,9 +257,9 @@ def get_username(request) -> Optional[str]:
 
 def should_obfuscate_private_tags(request) -> bool:
     # Check header modifications from plugin middleware first
-    header_mods = getattr(request, "state", None)
-    if header_mods is not None:
-        header_mods = getattr(header_mods, "header_modifications", {})
+    state = getattr(request, "state", None)
+    if state is not None:
+        header_mods = getattr(state, "header_modifications", {})
         if header_mods.get(GROUPS_HEADER_NAME) == OBFUSCATION_MARKER_GROUP:
             return True
     # Fall back to checking actual headers

gsrest/routes/base.py

@@ -115,9 +115,13 @@ def get_show_private_tags(
     if not show_private_tags_conf:
         return False
 
+    # Get header modifications from plugin middleware (if any)
+    header_mods = getattr(request.state, "header_modifications", {})
+
     show_private_tags = True
     for k, v in show_private_tags_conf.get("on_header", {}).items():
-        hval = request.headers.get(k, None)
+        # Check both actual headers and plugin-set header modifications
+        hval = header_mods.get(k) or request.headers.get(k, None)
         if not hval:
             return False
         show_private_tags = show_private_tags and bool(re.match(re.compile(v), hval))

tests/test_plugins.py

@@ -63,9 +63,9 @@ def make_request(path, headers=None, query=""):
 # --- Helper Function Tests ---
 
 @pytest.mark.parametrize("groups,expected", [
-    (["private"], True),
+    (["private"], False),  # Only 'tags-private' is recognized, not bare 'private'
     (["tags-private"], True),
-    (["public", "private"], True),
+    (["public", "tags-private"], True),
     (["public"], False),
     (["obfuscate"], False),
     ([], False),
@@ -110,7 +110,7 @@ def test_preserves_non_matching(self):
 # --- before_request Tests ---
 
 @pytest.mark.parametrize("path,headers,query", [
-    ("/btc/entities/123", {GROUPS_HEADER_NAME: "private"}, ""),
+    # Only 'tags-private' is recognized, not bare 'private'
     ("/btc/entities/123", {GROUPS_HEADER_NAME: "tags-private"}, ""),
     ("/btc/entities/123/neighbors", {}, "include_labels=true"),
     ("/btc/entities/123/neighbors", {}, "INCLUDE_LABELS=TRUE"),
@@ -190,7 +190,7 @@ def test_obfuscates_neighbor_tags(self):
         assert neighbors.neighbors[1].entity.best_address_tag.label == "Kept"
 
 
-@pytest.mark.parametrize("group", ["private", "tags-private"])
+@pytest.mark.parametrize("group", ["tags-private"])  # Only 'tags-private' skips obfuscation
 def test_before_response_skips_with_no_obfuscation_group(group):
     entity = make_entity(tag=make_tag(is_public=False, label="Private"))
     req = make_request("/btc/entities/123", {GROUPS_HEADER_NAME: group})

tests/test_regression.py

@@ -207,6 +207,33 @@ def test_txs_list():
             assert False, f"Outputs differ for call: {call}\n\nDetailed differences:\n{diff_details}"
 
 
+@pytest.mark.regression
+def test_obfuscation():
+    """Test that anonymous users get obfuscated tags (not zero tags).
+
+    This catches the bug where get_show_private_tags() didn't check
+    header_modifications from the plugin middleware.
+    """
+    # Address known to have private tags
+    call = "btc/addresses/3D4gm7eGSXiEkWS5V3hN9kDVo2eDGBK4eA/tag_summary"
+
+    # Get data without auth header (anonymous user)
+    data, _ = get_data_from_new_endpoint(call)
+
+    # Anonymous users should still get tags (not zero)
+    assert data.get("tag_count", 0) > 0, \
+        "Anonymous users should see obfuscated tags, not zero tags"
+
+    # But labels should be obfuscated (empty string)
+    assert data.get("best_label") == "", \
+        f"Labels should be obfuscated for anonymous users, got: {data.get('best_label')}"
+
+    # All label keys in summary should be empty
+    for label_key in data.get("label_summary", {}).keys():
+        assert label_key == "", \
+            f"Label keys should be obfuscated, got: {label_key}"
+
+
 @pytest.mark.regression
 def test_search():
     """Run the regression test and return the comparison result."""