fix: prevent early return in PathList lookup when intermediate path fails

[nikzen]

Summary

• Fix a bug in get_path_in_dict where a PathList with multiple paths would short-circuit on the first failing path instead of trying subsequent ones.
• When an intermediate segment resolved to a non-dict value (e.g. because the top-level key was missing), the inner loop's return None aborted the entire function. Changed to break + for/else so only fully traversed paths produce a result.
• Add tests covering missing keys, non-dict intermediates, and a real-world Zitadel admin_path scenario with project-scoped role claims.

Context

When admin_path is configured as a PathList (e.g. [["roles", "Admin"], ["urn:zitadel:iam:org:project:<id>:roles", "MatrixAdmin"]]), the first path ["roles", "Admin"] fails on tokens that don't have a roles key. The bug caused the function to return None immediately without ever checking the second path, making it impossible to use PathList for fallback admin detection.

Test plan

• All existing test_get_path_in_dict assertions still pass
• New test test_get_path_in_dict_pathlist_fallback_on_missing_key — verifies fallback when the first path's key is entirely absent
• New test test_get_path_in_dict_pathlist_non_dict_intermediate — verifies fallback when an intermediate value is a non-dict (int, string)
• New test test_get_path_in_dict_zitadel_admin_path — real-world scenario with Zitadel project-scoped role claims, testing both path orderings

Made with Cursor

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.18%. Comparing base (8ad0e2a) to head (d6e3415).

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #81      +/-   ##
==========================================
+ Coverage   83.08%   83.18%   +0.09%     
==========================================
  Files          18       18              
  Lines        1874     1885      +11     
  Branches      193      193              
==========================================
+ Hits         1557     1568      +11     
  Misses        234      234              
  Partials       83       83              

Files with missing lines	Coverage Δ
synapse_token_authenticator/utils.py	90.90% <100.00%> (ø)
tests/test_sta_utils.py	98.03% <100.00%> (+0.53%)	⬆️

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8ad0e2a...d6e3415. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jason-famedly]

Apologizes for the length of time it took me to understand enough of the code base to understand what this was even for. This should be fine 🚀